Author Archives: privacynewshighlights

01-08 April 2016


IN – Indian Gov’t Biometric Database at One Billion-Person Mark

India’s biometric database notched up one billion members this week, as the government sought to allay concerns about privacy breaches in the world’s biggest such scheme. India is home to 1.2 billion people. The database was set up 7 years ago to streamline benefit payments to millions of poor people as well as to cut fraud and wastage. Under the scheme, called Aadhaar, almost 93% of India’s adult population have now registered their fingerprints and iris signatures and been given a biometric ID. IT minister Ravi Shankar said the initiative had enabled millions to receive cash benefits directly rather than dealing with middlemen. He said the government had saved 150 billion rupees ($2.27 billion) on its gas subsidy scheme alone – by paying cash directly to biometric card holders instead of providing cylinders at subsidised rates. He also said all adequate safeguards were in place to ensure the personal details of card holders could not be stolen or misused by authorities given access to the database. His comments come after parliament passed legislation giving government agencies access to the database in the interests of national security. It was passed using a loophole to circumvent the opposition in parliament, where the ruling Bharatiya Janata Party (BJP) lacks a majority in the upper house. [Agence France-Presse]

JP – Fingerprints to be Tested as ‘Currency’ in Japan

Starting this summer, the Japanese government will test a system in which foreign tourists will be able to verify their identities and buy things at stores using only their fingerprints. The government hopes to increase the number of foreign tourists by using the system to prevent crime and relieve users from the necessity of carrying cash or credit cards. It aims to realize the system by the 2020 Tokyo Olympic and Paralympic Games. The experiment will have inbound tourists register their fingerprints and other data, such as credit card information, at airports and elsewhere. Tourists would then be able to conduct tax exemption procedures and make purchases after verifying their identities by placing two fingers on special devices installed at stores. The Inns and Hotels Law requires foreign tourists to show their passports when they check into ryokan inns or hotels. The government plans to substitute fingerprint authentication for that requirement. A total of 300 souvenir shops, restaurants, hotels and other establishments will participate in the experiment. They are located in areas that are popular among foreign tourists. The government plans to gradually expand the experiment by next spring, to cover areas including tourist sites in the Tohoku region and urban districts in Nagoya. It hopes to realize the system throughout the country, including Tokyo, by 2020. [Source]


CA – CSE and CSIS Looking to Work Together, Say Top Secret Documents

Canada’s top two intelligence agencies looking for new ways to work together, while review bodies remain in silos. The heavily censored documents were sent by CSE chief Greta Bossenmaier and CSIS director Michel Coulombe to Richard Fadden, the national security adviser to the prime minister, in August 2015. Fadden was both a former director of CSIS and the former top bureaucrat at National Defence, which is responsible for CSE. Bossenmaier and Coulombe suggest the two agencies are trying to “leverage (CSE’s) Mandate C authorities,” and set up a working group to “maximize opportunities for operational collaboration.” That could spell trouble for the small group of independent watchdogs reviewing the spy agencies’ activities. Both Security Intelligence Review Committee and the CSE Commissioner’s office can review their respective agencies but can’t conduct joint investigations or see the big picture. [The Star]

CA – Liberals Postpone Full Access-to-Information Reform to 2018

The Liberal government says a full review of the outdated Access to Information Act will have to wait another two years. A comprehensive examination of the access law will begin in 2018, Treasury Board President Scott Brison said. Meantime, the government plans to introduce legislation as soon as this year with quick fixes to the law, based on promises the Liberals made during the election campaign and consultations already under way. The promised changes include giving the information commissioner the power to order government records to be released and ensuring the access law applies to the offices of the prime minister, his cabinet members and administrative institutions that support Parliament and the courts. A Commons committee recently began a study of the Access to Information Act, which has not been substantially updated since it took effect almost 33 years ago. In addition, the government began a public consultation on transparency on Tuesday. People can go to to offer their views on what should be in the next federal strategy on open government. Officials will also hold in-person discussions across the country and the resulting plan is to be released this summer. [Source] See also: [Canadian officials requested to meet with Information Commissioner Suzanne Legault in order to find “a mutually satisfactory resolution” to a constitutional challenge to a law that protected Mounties after they destroyed data]


US – FCC Exploring Supercookie Ban in Verizon Case

As part of the FCC’s proposal to require ISPs to gain consent before tracking consumers’ online behavior for ad purposes, it is also considering banning certain tracking technologies. The FCC is seeking comment on “whether the use of persistent tracking technologies may expose … customers to unique privacy harms and as such, whether the Commission should prohibit (Internet service) providers from employing such practices.” More specifically, it would like to know whether the technologies should require some form of customer consent, and whether the technology, or banning it, has benefits for consumers. [Full Story]

EU – Group of 75 Consumer Orgs Comes Out Against Shield

Trans Atlantic Consumer Dialogue, a collection of 75 consumer-rights groups based in the U.S. and Europe, issued a statement today urging the European Commission “not to adopt the Privacy Shield.” The group criticized the potential adequacy agreement for being a “self-declared, self-regulatory system, which will be adhered to by a limited number of companies” and said the U.S., because it lacks a “robust” privacy framework, cannot guarantee an essentially equivalent level of protection for personal information of European citizens. TACD also urged the Commission to hold off on signing the EU-U.S. Umbrella Agreement for the sharing of data between law-enforcement agencies and to “prompt those Member States engaging in mass surveillance of individuals to put an end to such practices.” [Full Story]


CA – CRTC Enters into MOU with FTC on Spam & DnC

On March 24, 2016, the CRTC signed a memorandum of understanding with the US FTC. The MOU is an effort by Canada and the US to work together on anti-spam enforcement measures, and expressly refers to unsolicited telecommunications, unsolicited commercial electronic messages (spam), and other unlawful electronic threats (e.g., malware and botnets). The MOU will allow the Participants to facilitate research and education related to unauthorized communications. Both Commissions also plan to share knowledge and expertise through training programs and staff exchanges, and to inform each other of developments related to the laws, among other activities. [Source]

US – FBI: $2.3 Billion Lost to CEO Email Scams

The U.S. FBI this week warned about a “dramatic” increase in so-called “CEO fraud,” e-mail scams in which the attacker spoofs a message from the boss and tricks someone at the organization into wiring funds to the fraudsters. The FBI estimates these scams have cost organizations more than $2.3 billion in losses over the past three years. In an alert posted to its site, the FBI said that since January 2015, the agency has seen a 270% increase in identified victims and exposed losses from CEO scams. The alert noted that law enforcement globally has received complaints from victims in every U.S. state, and in at least 79 countries. The FBI estimates that organizations victimized by CEO fraud attacks lose on average between $25,000 and $75,000. But some CEO fraud incidents over the past year have cost victim companies millions — if not tens of millions — of dollars. [Krebs]


WW – WhatsApp Just Switched on Encryption for a Billion People

WhatsApp, an online messaging service now owned by tech giant Facebook, has grown into one of the world’s most important applications. More than a billion people trade messages, make phone calls, send photos, and swap videos using the service. And today, the enigmatic founders of WhatsApp revealed that the company has added end-to-end encryption to every form of communication on its service. This means that if any group of people uses the latest version of WhatsApp—whether that group spans two people or ten—the service will encrypt all messages, phone calls, photos, and videos moving among them. And that’s true on any phone that runs the app, from iPhones to Android phones to Windows phones to old school Nokia flip phones. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network. In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo, or video traveling through its service. Like Apple, WhatsApp is, in practice, stonewalling the federal government, but it’s doing so on a larger front—one that spans roughly a billion devices. [WIRED] See also: [Public Safety, RCMP saying little about WhatsApp encryption]

EU Developments

EU – Deal with EU, Canada to Share Air Travellers’ Data Raises Privacy Fears

An agreement between the EU and Canada to share airline passenger data that they say is key to fighting terrorism drew tough scrutiny at an EU court hearing last week because of privacy concerns. The dispute over the retention and sharing of passenger name records (PNR) has become a shibboleth in Brussels for the debate over balancing people’s privacy with the need to protect against terrorism. The agreement with Canada foresees the retention and sharing with Canadian authorities of airline passenger data by carriers operating flights between the EU and Canada. The Luxembourg-based Court of Justice of the European Union (ECJ) heard arguments for and against the agreement at a six-hour proceeding. Islamist militant attacks in Paris last year and last month’s attacks in Brussels have stoked calls for law enforcement agencies to have easier access to people’s data. Ireland, France, Britain, Spain and Estonia, who intervened in the case, emphasized that PNR do not allow investigators to paint a detailed picture of someone’s private life. But the European Parliament and privacy advocates cast doubt on that assertion. [Reuters]

EU – Other News

Facts & Stats

WW – 2016 Data Security Incident Response Report

BakerHostetler has yet again compiled a year’s worth of breach response data into a compact report that analyzes trends in data breach response, released this year to coincide with the Global Privacy Summit. “Is Your Organization Compromise Ready?” documents lessons learned from more than 300 security incidents in 2015. Some of the major findings? Nearly a quarter of all breaches happened in the healthcare industry. It takes an average of 69 days from occurrence of a breach to its discovery, and an average of 40 days from discovery to notification. And nearly a quarter of incidents led to regulatory investigations or inquiries. [Read More]


WW – Panama Document Leak Exposes Global Corruption, Secrets of the Rich

The financial secrets of heads of state, athletes, billionaires and drug lords have been exposed in the latest — and biggest ever — leak of records from an offshore tax haven. The leak includes 11.5 million confidential documents shedding light on the assets and murky fiscal dealings of everyone from the prime ministers of Iceland and Pakistan to soccer player Leo Messi, movie star Jackie Chan and associates of Russian President Vladimir Putin. The records, dating as far back as 1977, come from a little-known but highly influential Panama-based law firm called Mossack Fonseca, which has 500 staff working in 40-plus countries. The firm is one of the world’s top creators of shell companies — corporate structures that can be used to hide ownership of assets. German newspaper Süddeutsche Zeitung obtained the files from a source and shared them with global media partners, including CBC News and the Toronto Star, through the Washington-based International Consortium of Investigative Journalists. The release of the leaked documents may prompt governments to seek “concrete sanctions” against jurisdictions and institutions that peddle offshore secrecy. [CBC] News

US – NAIC Seeks Feedback for Insurance Data Security Law

A cybersecurity task force of the National Association of Insurance Commissioners (NAIC) has proposed a new insurance data security model law. The initiative, introduced last month, establishes new standards for data security, breach responses and the roles of the regulator, the organization says. “Because insurance is a data-driven industry, regulators must understand what data is being collected and for what purpose,” the NAIC said. “Today, regulators and companies have a need for data beyond what has been traditionally collected. But what regulators need is greater insight, not just more data.” Early responses to the proposed law have been mixed, with other associations raising concerns about the law’s suggestion that insurance regulations be allowed to vary by state and variations in response allowed for jurisdictional commissioners. After several high-profile hacks in 2015, the insurance industry and its regulators still are learning about the hackers aggressively hunting customer’s personally identifiable information (PII) data, financial records and medical histories. [Source] [See Graphic] See also: [state data security breach notification laws] and also: [Cyber insurance underwriters may want to consider less “absolute” questionnaires: ICRMC speaker]

US – Cyber Insurance Rates Drop

The rates for cyber insurance for organizations usually deemed to be high risk, such as retailers and healthcare organizations, fell during the first three months of 2016 because of a drop in high-profile breaches. The average price for US $1 millions in insurance fell to US $18,756. Last year, in the wake of high profile breaches like those at Target and Home Depot, the average premium was as high as US $21,642. [Reuters]


CA – NL Teachers Going to Court to Fight Sunshine List Disclosure

The Newfoundland and Labrador Teachers’ Association (NLTA) plans to go to court to block the release of the names of about 300 people who earn more than $100,000 working in the province’s school system. NLTA president Jim Dinn said that when he became aware of an access to information request seeking the names and salaries of teachers, he “immediately” knew the association had to fight it. Dinn said he believes releasing the list of teachers, principals and other educators earning more than $100,000 would be an undue invasion of privacy. Last year, as part of the Progressive Conservative government’s push for greater government openness and transparency, then-minister Steve Kent committed to creating a so-called “sunshine list” that would include the names, positions and remuneration of all government employees earning more than $100,000. The project was never completed because the Tories were tossed from government by voters in the November election. Since they took power, the new Liberal government has been indecisive on whether to follow through. In the meantime, The Telegram filed a suite of access to information requests in an attempt to create an ad hoc sunshine list. Several public bodies — including Memorial University, the core civil service, Nalcor Energy and the Royal Newfoundland Constabulary — have provided the requested information, and that data will be posted online by The Telegram this week. However, the province’s four regional health authorities and the English School District have declined to provide employees’ names. Those five public bodies said they would first inform their employees about the potential disclosure, and if anybody objected, the matter would be sent to the Office of the Information and Privacy Commissioner, or to the courts, for a ruling. [Source]

CA – NL Salary Disclosures OK Under New Access Law, Watchdog Says

Newfoundland and Labrador’s information and privacy commissioner says the new transparency law that replaced Bill 29 permits the public release of salary details of employees of public bodies. “It is our view that such a disclosure is in compliance with the law,” Ed Ring said in a press release issued Monday afternoon. Ring noted that a number of public bodies have already released that information in response to open-records requests. But he said others “have been uncertain in their interpretation of the law,” and have notified affected employees before releasing the information. Ring noted that a panel led by former premier and judge, Clyde Wells, that reviewed access-to-information laws found that disclosure of salary details is not an unreasonable invasion of privacy, and therefore cannot be withheld by a public body. “It is the interpretation of this office that this means that names of public body employees and their salaries are to be disclosed to an access-to-information applicant upon request,” Ring noted. “This type of disclosure is not unusual in Canada, and for example, has been done for many years under different legislation in Ontario.” [Source]

US – The FBI Says a Piece of Code Broke Its FOIA System

In February, activist Michael Best took a novel approach to filing a mass of Freedom of Information Act requests at once: he wrote a script to automatically ask for the files of just under 7,000 dead FBI officials. The FBI has replied, and it is not happy. The agency decided to not accept any of Best’s related requests, and may have also blocked or otherwise filtered further emails sent to the agency’s FOIA department by him. The episode shows that the way FOIAs are processed is very much an antiquated practice, and that perhaps US government agencies should think of new ways to handle requests. “The FBI email portal is designed to provide a convenient, alternative means to all Freedom of Information Act (FOIA) and Privacy Act (PA) requestors [sic] to make requests for FBI records,” a letter from David M. Hardy with the FBI’s Records Management Division to Best, dated March 30, 2016, reads. “On February 29, 2016, the FBI received an exceedingly high volume of submissions from you via the FBI email portal which had been generated by script [sic] using a list of names. This matter of submission interfered with the FBI’s ability to perform its FOIA and PA statutory responsibilities as an agency. Accordingly, the FBI did not accept these submissions on February 29, 2016, via the FBI FOIA email portal,” it continues. Best’s script was simple enough: It took names of special agents and other FBI officials collated from the agency’s own “Dead List,” a list of people the FBI knows to be deceased, and placed each into a request template. The request was for records held concerning the subjects, which can be released after the person is deceased. (For what it’s worth, Best says he didn’t submit his requests via the “email portal” as the FBI’s letter states, but just sent them to the normal FBI FOIA email address.) “I think the letter’s vagueness is counterproductive,” Best told Motherboard in a Twitter message. “’The manner of submission’ could mean almost anything. The volume of requests, or using the script? If it’s the former, I’ve never heard of an agency discarding FOIA requests because there were too many, and if it’s the latter I don’t see how the locally run script would have created a problem.” The requests weren’t even “rejected,” at least in the traditional FOIA context. Requests can be rejected if they are determined to be too burdensome on the agency. But that’s not what happened here—the FBI didn’t even accept the requests in the first place. [Source]

CA – Residential School Abuse Stories Must Be Shredded After 15 Years: Court

Survivors of Canada’s notorious residential school system have the right to see their stories archived if they wish, but their accounts must otherwise be destroyed in 15 years, Ontario’s top court ruled in a split decision last week. At issue are documents related to compensation claims made by as many as 30,000 survivors of Indian residential schools — many heart-rending accounts of sexual, physical and psychological abuse. Compensation claimants never surrendered control of their stories, the Appeal Court said. “Residential school survivors are free to disclose their own experiences, despite any claims that others may make with respect to confidentiality and privacy,” the court said. The court rejected the idea the documents were “government records” but said the material fell under the court’s control. [Source]

US – ESPN Argues Athlete’s Medical Records Matter of Public Concern

Cable sports network ESPN has filed court papers arguing that journalists are entitled to provide the public with visual evidence to corroborate reports, even in cases involving the athlete’s medical records. Last summer, Jason Pierre-Paul, a player in the NFL, blew part of his hand off in a fireworks accident. Reporter Adam Schefter tweeted a picture of Pierre-Paul’s medical record as proof. The football player has sued ESPN, arguing his privacy was violated. The media outlet argues Pierre-Paul’s claims “cannot succeed where, as here, the subject-matter of a news report is a matter of public concern.” [Hollywood Reporter]

CA – Judges Reject Media Ban in Two Assisted-Death Cases

Canadian judges have refused to bar the media from assisted-death cases for the first time. Judges in Ontario and British Columbia both rejected requests to ban the media from the hearings, breaking precedent set in Canada’s first application for an assisted death in late February. While the judges in the two cases understand the request for privacy by the two clients, the cases are “uniquely significant,” and blocking the media would harm the “open court principle,” said Chief Justice Christopher Hinkson of the British Columbia Supreme Court. “Conducting these proceedings in camera would effectively prevent the public from having any information about the case, other than what is volunteered by the parties or provided by the court in its reasons for judgment,” Hinkson said. [The Globe and Mail]

Health / Medical

CA – BC Arbitration Board Rules Nurse Must Be Reinstated Despite Multiple Incidents of Patient Data Snooping

The BC Nurses Union brought a grievance on behalf of a member who was terminated by her employer, the Vancouver Coastal Health Authority, for improperly viewing patient medical records. An arbitrator determined that termination was an excessive response and orders the nurse reinstated, with seniority, but without back pay or benefits; none of the information accessed was disclosed, and the nurse had realized the seriousness of the unauthorized access (she has been out of work a long time and had taken courses to educate herself on the issue). [Vancouver Coastal Health Authority (Olive Devaud Residence) v. British Columbia Nurses Union – 2016 CanLII 11873 (BC LA) – Labour Relations Board]

Horror Stories

PH – Philippines Breach Largest In Government History?

Sensitive information of nearly 55 million Philippine voters has been exposed in possibly the biggest government-related data breach in history. Security researchers believe the entire database of the Philippines’ Commission on Elections has been exposed following a cyberattack compromising the organization’s website by Anonymous Philippines, after which LulzSec Pilipinas, a second hacker group, posted the complete COMELEC database online. The data dump included information such as fingerprints and passport information, although COMELEC officials claim no sensitive information was accessed. Officials also said the national elections being held 9 May will not be affected by the attacks, as the election-related systems will be held on a separate site. During the initial attack, Anonymous Philippines warned COMELEC it should strengthen the security of the voting systems. [The Register]

TU – Nearly 50M national IDs, PII of Turkish citizens leaked online

The national IDs and other personal information of nearly 50 million Turkish citizens — more than half the country’s population — was leaked on a website hosted in Romania. The other personal information included in the data leak included full name and parents’ names of citizens, address and date of birth. Victims of the data breach also include the current president of Turkey, Recep Tayyip Erdoğan and the previous president, Abdullah Gül as well as current Prime Minister Ahmet Davutoğlu. The site features a “lessons to learn” portion that hints on how the data was stolen, and mentions lack of encryption and poor database security. [The Guardian]

CA – Breach at Alberta’s Maintenance Enforcement Program?

An Alberta government employee is under investigation after Edmonton police discovered as many as 60 sensitive files in the province’s maintenance enforcement program may have been accessed inappropriately. The alleged privacy breach was discovered during a larger police investigation, Justice Minister Kathleen Ganley said. The enforcement program collects and enforces court-ordered child and spousal support payments, meaning the files contained financial information and other personal details. “Obviously, we’re deeply concerned because this is the private information of individuals who have come into the program — sometimes very vulnerable individuals,” Ganley said. The employee in question is under investigation by both Edmonton police and Justice Department officials. The employee still has a job with the government, but no longer has access to the client database. “To the best of our knowledge, there is only one individual involved,” she said. [Edmonton Journal]

Identity Issues

CA – Price of Stolen Canadian Identity Plummets On Black Market

The price of a stolen Canadian identity has dropped by half in the space of a few years, says a new report from tech firm Dell. A set of Canadian “fullz” — the basic data needed to steal someone’s identity — now trades for around US$20 on the global market, down from a range of $35 to $45 in 2014, Dell Secureworks said in its latest Underground Hacker Marketplace Report. A set of “fullz” includes a person’s name, date of birth, an identifying government ID like a Social Insurance Number or driver’s licence and some form of financial data, like credit card or bank account numbers. Physical documents are more expensive, with passports going in the thousands of dollars. Fake Canadian passports can run upwards of US$2,600, more than U.S. passports though not as much as those of some European countries. A Canadian SIN card “was observed being sold by cybercriminals out of China for approximately $173,” the report said. The cheaper prices may have to do with a growing supply of stolen identities. The Insurance Bureau of Canada reported last month that there has been an increase in identity theft in Canada in recent years. The Canadian Anti-Fraud Centre said 17,000 Canadians reported being victimized by identity theft in 2015, and losses topped $10.7 million. But the centre warned that, more often than not, identity theft goes unreported. [HuffPost]

US – ONC, NIST Partner on Federated Identity and Health Data Privacy

The National Institute of Standards and Technology is putting up $1 million to find a new approach for patients and providers to access health records in a joint endeavor with the Office of the National Coordinator (ONC) for Health IT. Instead of piling up individual accounts for each provider a patient sees – dentist, specialist, primary care, in the doctor’s office or in the hospital – NIST and ONC are looking for ways to streamline the entire process by enabling a single credential across multiple providers. “For providers, making strides in the efficiency of accessing medical records means time and money saved – and, if done right, better outcomes for security and privacy – what NIST calls a “Federated Identity.’” NIST deputy director Michael Garcia wrote announcing the pilot. ONC, for its part, will participate in the review of applications and also provide technical support regarding implementation and operation of the pilot. “The goal is for hospital systems to work with other regional health systems and provider groups on developing and using a federated identity system,” Garcia explained. “The identity solution must be: privacy enhancing and voluntary; secure and resilient; interoperable; cost effective and easy to use.” NIST said it will fund one award between $750,000 and $1 million for eighteen months Applications can be submitted at until the June 1, 2016 deadline. [Source]

Internet / WWW

WW – Countries that Use Tor Most Are Highly Repressive or Highly Liberal

You might assume that people in the most oppressive regimes wouldn’t use the Tor anonymity network because of severe restrictions on technology or communication. On the other hand, you might think that people in the most liberal settings would have no immediate need for Tor. A new paper shows that Tor usage is in fact highest at both these tips of the political spectrum, peaking in the most oppressed and the most free countries around the world. Eric Jardine, research fellow at the Centre for International Governance Innovation (CIGI), a Canadian think-tank, is the author of the new paper, recently published in peer-reviewed journal New Media & Society. Jardine analysed data from 157 countries, stretching from 2011 to 2013. That information included a rating for a country’s political repression, derived from assessments made by US-based research group Freedom House, and metrics for Tor usage, sourced from the Tor Project’s own figures. Jardine included data for use of both Tor relays, which are nodes of the network users typically route their traffic through, and bridges, which are essentially non-public relays designed to be used in censorship-heavy countries that might block access to normal relays. He also considered a country’s internet penetration rate, intellectual property rights regime, wealth, secondary education levels, and openness to foreign influences. “The results show that, controlling for other relevant factors, political repression does drive usage of the Tor network,” Jardine writes. [Source]

WW – The Art of Privacy

Artist Trevor Paglen has exhibited a sculpture called the Autonomy Cube at museums around the world. The sculpture houses a custom wi-fi router. Museum visitors who connect to it will have their data redirected through the Tor network. The router also serves as a Tor relay. Paglen aims to install Autonomy Cubes in any museum that will pay for their creation. [Wired]

WW – Android Messaging Apps Leaking Data Through ‘Surreptitious Sharing’

German researchers have found a serious flaw in the way many popular Android email and messaging apps – including Skype and even secure systems like Telegram and Signal – share documents, images and videos. Dominik Schürmann and Lars Wolf from Braunschweig University of Technology say the bug, dubbed ‘Surreptitious Sharing’, allows attackers to capture data including passwords, private keys and message histories. They tested 12 popular email and messaging apps and found eight were exploitable. As a result, they said, the flaw is “definitely present in many more apps”. The affected messaging apps are Skype, Threema, Telegram and Signal. The vulnerable email apps are Google’s Gmail and AOSP Mail, K-9 Mail and WEB.DE. Four messaging apps were found to be safe – WhatsApp, Hangouts, Facebook Messenger and Snapchat. The bug lies in the main ‘Intent’ file-sharing API that Android apps use. This allows an attacker to access the receiving app’s private files. Worryingly, even privacy-focused messaging apps were “easily exploitable”, the researchers said. [Source]

Law Enforcement

US – Maryland Appeals Court Upholds Lower Court Stingray Ruling

An appeals court in Maryland recently ruled that police should not have used a stingray cell site simulator device without a warrant. The state had argued that by turning on cell phones, people were consenting to being tracked. The ruling upholds a lower court decision to suppress information gathered with the stingray. It also addresses the obfuscation police used in obtaining a warrant to use the stingray, writing, “A non-disclosure agreement that prevents law enforcement from providing details sufficient to assure the court that a novel method of conducting a search is a reasonable intrusion made in a proper manner and ‘justified by circumstances,” obstructs the court’s ability to make the necessary constitutional appraisal.” [Wired] See also: [Stingray ruling could challenge hundreds of Baltimore convictions]

CA – Canadian Police Forces Moving Towards Costly Body Cameras

Some Canadian cities and police forces already wrestling with cash-flow shortages are moving toward outfitting officers with body cameras despite privacy concerns and scant consensus on the technology’s cost-effectiveness. Body camera programs aren’t cheap, according to multiple forces across the country, and would require hiring more personnel to deal with the hundreds and thousands of hours of footage. Storage costs alone can run in the millions of dollars. Nonetheless, proponents say the cameras provide better evidence, lead to more convictions, improve officers’ interactions with the public and reduce police use-of-force incidents. Others, however, argue the videos invade the privacy of citizens, and worry that administrative duties related to body cameras will keep officers away from policing. [CTV News]


UK – 93% of Mobile Users Have Their Location Tracked Every Day

A new campaign by privacy-focused advocacy group Krowdthink aims to raise aware of the privacy implication of owning a mobile phone in the UK. The ‘Opt Me Out Of Location’ campaign aims to highlight the fact that nearly every single mobile phone owner in the UK (93%) has unwittingly signed up for a contract that permits their location to be tracked. More than this, the data collected allows providers to build up highly detailed customer profiles which Krowdthink warns leaves millions of users just one serious data breach away from having private data exposed to and abused by criminals. Research by Krowdthink says that while most mobile users are suspicious of apps that make use of GPS, few people think about the fact that their location is highly trackable when they connect to wifi hotspots or cell towers. [Source]

Online Privacy

US – Judge Approves Sony Hack Settlement

U.S. District Judge R. Gary Klausner ruled in favor of the estimated 437,000 employees affected by the 2014 Sony hack, approving the settlement that would provide them identity theft protection through 2017. Klausner said the three years of credit monitoring is longer than granted in other class actions, the report states. Sony further agreed to “an optional service that will cover up to $1 million in losses,” with more specific figures relating to the monetary settlement forthcoming. [The Associated Press]

Other Jurisdictions

WW – Nymity and IAPP Announce New Privacy Management Tool

The IAPP and Nymity have announced the Nymity Privacy Management Workbook and supporting materials. Terry McQuay, Nymity’s President stated, “The Privacy Management Workbook is an unlocked Microsoft Excel Spreadsheet that can be used as is, or customized to meet a specific privacy officer’s needs. The Privacy Management Workbook is accompanied with the “Getting Started Manual”, that provides an operationalized approach to privacy management accountability and step by step instructions on how to use the Workbook. For organizations with mature privacy management embedded throughout the organization, there is a second manual called the “Demonstrating Compliance Manual”. This manual outlines an accountability approach to demonstrating compliance with privacy laws that is empowered by the documentation that was collected using the Privacy Management Workbook. [Privacy Management Workbook and the supporting materials]. [Source]

AU – Census Plan “A Massive Invasion of Privacy” Says EFA

Plans to retain people’s names and addresses for this year’s Census have sparked fear that the information could be used by Centrelink, the Tax Office and ASIO and may lead to mass civil disobedience or people lying on their forms, privacy groups believe. The Australian Bureau of Statistics (ABS), which has been around since 1905, conducts a Census every five years. While this has always involved collecting names and addresses, the difference is that this time it wants to hold on to all of this information. The Agency has said it wants to be able to combine Census data with other datasets, such as health and education statistics, to get a “richer and dynamic statistical picture of Australia.” Statisticians argue this could provide insights into many areas, for example, the employment outcomes of different educational programs or designing mental health services, and result in better service planning and delivery. Keeping names and addresses would also make surveys more efficient and reduce the cost and burden on Australian households, said the ABS. But Jon Lawrence from the Electronic Frontiers Australia said retaining such information was unwarranted and intrusive and “an exceptionally bad idea.” “At its very essence, it’s a massive invasion of the privacy of every Australian,” Mr Lawrence said. [Source] See also: [Benefits of the census retaining names and addresses should outweigh privacy fears]

Privacy (US)

US – FTC Releases Agency’s 2015 Annual Highlights Report

FTC Chairwoman Edith Ramirez released the FTC’s 2015 Annual Policy Highlights. The topics covered in the report include the FTC’s noteworthy legal actions in a variety of industries, including health care, technology and other consumer products and services. The report touches upon the FTC’s work to bring actions against technology companies to ensure the protection of consumers’ personal info, including settling a charge with Oracle over the safety provisions in updates to its Java platform. Also touched upon in Ramirez’s report was cross-device tracking, and educating consumers on fraud and deceptive business practices, including, a website to help people report and recover from identity theft. [FTC Press Release]

US – FTC Fines Organisation $79,659,262 for Payment Fraud Scheme

The FTC is granted an order against Ideal Financial Solutions Inc. for participating in violations of the Federal Trade Commission Act. The company and its subsidiaries are permanently restrained from selling, transferring, or otherwise disclosing a consumer’s personal information to any third party without consent, and misrepresenting that a consumer has authorized or consented to the purchase of a product or service, or the nature or terms of any refund, cancellation, exchange, or repurchase policy. [FTC v Ideal Financial Solutions Inc. – USDC for the District of Nevada]

US – Other Privacy News

Privacy Enhancing Technologies (PETs)

US – FTC Releases Web Tool for Mobile Health App Developers

The FTC released this week a web-based tool to assist mobile app developers in determining which federal privacy laws apply to their mobile health applications. The tool asks developers a series of ten targeted questions that help a user determine whether HIPAA, FTC, and/or FDA rules and regulations might apply. The interactive developer tool presents users with questions that include topics such as:

  • the type of information the app will create, receive, maintain, and transmit
  • the type of entity creating the app (or on whose behalf the app is created)
  • the purposes of the app
  • the information the app will provide to consumers and/or patients

The answer to each question points the user to the laws and regulations that may likely apply to the app. The tool also directs users to definitions for common regulatory terms, links, tips and guidance regarding compliance, and other federal agency resources. In conjunction with the release of the developer tool, the FTC also released its own guidance aimed at developer compliance with the FTC Act. This guidance follows the release of OCR’s Health App Use Scenarios & HIPAA guidance and discussion portal and FDA Mobile Medical Applications guidance. Together, these agency releases reflect efforts to provide guidance that will help provide clarity to the growing mobile health app ecosystem.

US – DHS Unveils Privacy Guidelines for Mobile Apps

The U.S. Department of Homeland Security has issued a set of privacy rules for mobile applications developed for the agency. The guidelines include a privacy policy requirement as well as a rule that program managers notify a privacy official and the chief information officer prior to an app’s development. App developers must pass their apps through a DHS “Carwash,” a system that scans the app’s code, which are then reviewed by DHS Chief Privacy Officer Karen Neuman. The guidelines also lay out what kinds of personal information can be processed and require that user information in transit must be encrypted and “immediately transferred to a protected internal DHS system that is compliant with existing DHS IT security policy.” [FCW]

US – Market Surges For Outside Privacy Counsel

A significant portion of corporations—76%—employ outside counsel for privacy and data security matters, according to a Bloomberg Law/IAPP survey study on “The Market for Data Privacy Legal Services.” And that demand is growing. The survey report concluded that:

  • A dedicated privacy team and subject matter experience are the most important qualities—along with basic care and feeding of clients—that companies look for in hiring outside counsel.
  • On average corporations spend nearly $170,000 annually on outside counsel handling privacy and data protection matters.
  • Outside privacy attorneys command high hourly rates, an average of $474 for transactional services, $539 for litigation and $623 for specialized privacy and data protection services.

The survey found that privacy pros in companies generally don’t hire outside counsel for operational tasks, such as PIAs and privacy by design application. But at the same time, significant opportunities for lawyers to expand their revenue may be in advising companies on privacy by design/privacy engineering initiatives, the report said. [BNA] See also: [UK and European firms invest in data protection ahead of GDPR]


WW – A Lot Will Plug a Random USB into Their Computer: Study

Using booby-trapped USB flash drives is a classic hacker technique. But how effective is it really? A group of researchers at the University of Illinois decided to find out, dropping 297 USB sticks on the school’s Urbana-Champaign campus last year. As it turns out, it really works. In a new study, the researchers estimate that at least 48% of people will pick up a random USB stick, plug it into their computers, and open files contained in them. Moreover, practically all of the drives (98%) were picked up or moved from their original drop location. Very few people said they were concerned about their security. 68% of people said they took no precautions, according to the study. Some 135 people actually opened some files in the drives, according to the study. The researchers didn’t put any malware on the sticks, but had left an HTML file that contained an image allowing the researchers to detect when a file was opened. The HTML file also contained a survey, which had the goal of informing unbeknownst students and faculty that they had become part of an experiment, and trying to figure out why they had picked up the drive and opened files inside. Based on the participants’ survey answers, the researchers concluded that most people did it with “altruistic intentions.” In fact, 68% people said they did it to find the owners, while 18% admitted it was just out of curiosity. However, considering their actions, it seems some overestimated their good intentions. Despite the fact that some USB drives contained a resume file, almost half the users didn’t open that file, and, instead browsed vacation photos first, “overtaken by curiosity,” as the researchers put it. [Source]

US – US, Canada Issue National Alerts on Ransomware

The United States Computer Emergency Readiness Team within the Department of Homeland Security and the Canadian Cyber Incident Response Centre have jointly issued a special alert for both nations on the threat of ransomware and recent variants of the virus. The alert highlights the threat to the healthcare industry in the U.S. and worldwide, as well as threats to other businesses and individuals, outlining important steps to help organizations from falling victim to a ransomware attack, and guidelines for responding in incidents in which an organization is fending off ransom demands. The alert takes a hard line on whether organizations should pay to unlock information or computers, suggesting that there is no guarantee that paying a ransom will result in the release of information. Over the last few weeks, about a half dozen ransomware incidents have been reported among U.S. and Canadian hospitals, and in most cases, the organizations have been able to work around the attacks without paying a ransom. In February, Hollywood Presbyterian Medical Center reported that it paid the equivalent of $17,000 to unlock its information after a ransomware attack crippled the facility’s systems for about a week. The federal alert warns that ransomware is being spread via phishing tactics, as well as through “drive-by downloading,” which occurs when a user unknowingly visits an infected web site and malware is downloaded to the computer. [Source] See also; [Ransomware Threat Hits Critical Mass] and [Should Ransomware Attacks Be Considered Breaches? ]

US – Federal Agencies and Ransomware: Statistics

29 US federal government agencies have reported a total of 321 ransomware incidents since June 2015, according to the Department of Homeland Security. Not all of the incidents resulted in infections, and no incidents resulted in payment of ransom. Last December, Senators Ron Johnson (R-Wisconsin) and Tom Carper (D-Delaware), chairman and ranking member of the Senate Homeland Security and Government Affairs Committee, requested information about agencies’ efforts to protect systems from ransomware. Carper has posted the responses to his website. [FCW] [The Hill] [NextGov] [Results on Senator Carper’s Website] [CBC: Ransomware Hits Another (Ontario) Hospital] [SC Magazine]

Smart Cars / IoT

US – NTIA Commences Internet of Things Proceedings

On April 5, 2016, the National Telecommunications and Information Administration (NTIA) initiated an inquiry to review the potential benefits and challenges presented by the Internet of Things (IoT). In its Notice and request for public comment (RFC), NTIA is seeking input on the current IoT technological and policy landscape with a goal of developing recommendations—in the form of a Green Paper—as to whether and how the federal government should play a role in fostering the advancement of IoT technologies. Comments are due on or before May 23, 2016; parties across industry sectors are encouraged to comment. The inquiry is part of the Department of Commerce’s Digital Economy Agenda through which the agency seeks to help develop a free and open Internet and innovation in the digital economy while promoting privacy, security, and broad access. [Source]

WW – IoT Privacy a Concern for 62% Globally, More in U.S.

A newly released study of 5,200 “mobile media users” in Brazil, China, France, Germany, India, South Africa, the U.K., and the U.S. has found 62% of respondents “concerned” about privacy and the Internet of Things. That number rises to 70% in the United States. According to the Mobile Ecosystems Forum, privacy outstrips security (54%), and is a far bigger concern than physical safety (27%) or “machines taking over the Earth” (21%). Which connected devices are most concerning? Respondents answered with their home security as most concerning (30%) followed by their car (12%) and television (10%). [MediaPost]

US – OTA Principles for IoT Privacy and Security Programs

15 months after forming an Internet of Things (IoT) working group, on March 2, 2016, the Online Trust Alliance (OTA) released a final version of its IoT Framework along with a companion Resource Guide that provides explanations and additional resources. The voluntary Framework sets forth thirty suggested guidelines that provide criteria for designing privacy, security, and sustainability into connected devices. The creation of the OTA IoT principles represents a potential starting point for achieving privacy- and security-protective innovation for IoT devices. For now, the Framework focuses on wearable technology and connected home devices. In so doing, it avoids addressing some of the more challenging transparency and consent issues presented by devices lacking a direct buyer-seller relationship, such as those that arise in the retail or infrastructure context. The Framework also excludes connected medical devices and the associated potential life-or-death implications of medical technologies. Though purely voluntary and non-binding, the Framework differentiates between what it posits as “required” and “recommended” guidelines, thereby allowing for a broader consensus in a dynamic environment with many unresolved questions. Certain guidelines will likely be familiar to consumers—such as multi-factor verification for resetting credentials, and user notification after a password change. Other guidelines are particularly tailored to the IoT space—such as disclosure of the duration of patch support, and notice when a device initially pairs with a network. Themes of the Framework include guidelines designed to achieve the following:

CA – Allstate to Offer Albertans Usage-Based Auto-Insurance

A new Alberta insurance program could see motorists save money if they’re willing to install a device that monitors their habits behind the wheel. Allstate is the first company in the province to offer usage-based insurance, which uses technology to collect data on how a vehicle is driven and offer discounts for safe drivers. “It’s a little box you plug in under the steering wheel, and it sends out information,” Edmonton north agency manager Amanda Sawatzky said. “We take the measurements of the data over six months because that’s going to tell us over time what your driving habits are.” The company will check the frequency of hard braking, the time of day customers drive — accidents are more common between 11 p.m. and five a.m. — total kilometres covered and travelling at more than 125 km/h. The information comes from the vehicle’s diagnostic system and is sent out electronically. Drivers can log in to a website and monitor the results. “Hopefully, as you see a hard braking or speed incident, you’re more aware of it and it leads to safer driving habits,” Sawatzky said. After six months, the equipment will be removed and Allstate will offer participants premium discounts of up to 30%, depending on how well they did. Even if they do badly, their premiums won’t rise. Any discount remains as long as they own the vehicle. “It’s empowering drivers and there’s no downside to it. The safer you drive, the more you can save.” It’s unlikely someone will change how they drive for six months, then revert to bad habits once the monitor is out, she said. People who want to see whether they should sign up will receive a 5% premium cut for a year for using a test app. [Edmonton Journal]


US – New Hampshire Bill Regulates Government and Citizen Use of Drones

Last month lawmakers in the New Hampshire House of Representatives passed a bill regulating government and citizen use of drones. The bill includes strong privacy protections that address some of the most common concerns associated with police using flying robots. The legislation is the latest example of local lawmakers improving upon decades-old Supreme Court precedent amid rapidly changing technology. In a world where drones with cameras are well within many law enforcement budgets it is reasonable to ask when police can fly a drone over your backyard. It’s understandable if you think that you have a reasonable expectation of privacy in your backyard, but the fact is that the Supreme Court ruled in two cases from the 1980s (Florida v. Riley and California v. Ciraolo) that you don’t. In both cases justices on the Court held that observations from the air are analogous to observations from public roads. [Forbes] See Also: [FAA committee writing rules permitting small drones over crowds]

US – NTIA Postpones Drone Privacy Meeting

The National Telecommunications & Information Administration has postponed an April 8 multistakeholder meeting on drone privacy, saying some stakeholders said that work on a revised draft of voluntary drone privacy guidelines would not be ready to circulate to the full group until April 22. The meeting will be rescheduled for early May, according to John Verdi, NTIA’s director of privacy initiatives, in a note to stakeholders. The effort is among a number sets of best practices NTIA is trying to help industry and civil society representatives agree on to enforce the Obama administration’s privacy bill of rights. Others include on apps and facial recognition. It has been a year since NTIA sought comment on “privacy, accountability, and transparency issues” surrounding the use of unmanned aircraft systems (UAS), which are being increasingly used in TV news and film production. Those studios told NTIA they do not think there need to be any privacy guidelines for their use in such productions since they are either used on closed sets, or where they are not collecting information from the public. Back in November, major broadcast and print news operations and others in the News Media Coalition (NMC) asked NTIA to make sure it does not limit their First Amendment rights in its ongoing effort to come up with privacy guidelines for the new wave of UAS. [Source]

Telecom / TV

US – Federal Judge Says No Expectation of Privacy in Cell Site Location

In the Seventh Circuit — where there’s currently no Appeals Court precedent on cell site location info (CSLI) — federal judge Pamela Pepper has decided only about half of what other courts have said about this info’s expectation of privacy applies. That would be the half that finds the Third Party Doctrine covers cell phones’ constant connections to cell towers. (via Three circuits (4th, 5th and 11th) have ruled on whether obtaining CSLI from providers constitutes a search or seizure under the Fourth Amendment. Only the Fourth found that this information deserved greater privacy protections, mainly because of the ubiquitousness of cell phones. The other two held that CSLI is just another business record, even if it is the sort of business record that generates a detailed history of someone’s movements and can be used to track someone in near real-time. The Supreme Court also had something to say about the long-term tracking of people’s movements in its decision about GPS tracking devices. While not exactly the same thing, it was close, and the court here examines this decision as well. The government suggested long-term location tracking might have enough Fourth Amendment implications to justify a warrant requirement, but stopped short of making that call. With these non-precedents in hand, Judge Pepper finds there’s no expectation of privacy in cell location info because — like the government has argued in other cases — everyone should know their phones are acting as ad hoc government tracking devices. [TechDirt] [The ruling is here]

CA – Cases Highlight Legal Debate Over Texting Privacy Rights

The Ontario Court of Appeal is being asked to determine what privacy rights exist in the content of an individual’s text messages when they are obtained by police through the seizure of the phone of the recipient and not that of the sender. It is only the second time that the status of text messages on another person’s phone has been before an appellate court. The B.C. Court of Appeal ruled last year that there are privacy interests for the sender of the communications. At the Ontario Court of Appeal, the issues have been raised in two cases that are being heard together this week. The argument there is no privacy right once a text message has been sent is a very “old school” notion based on control, which does not fit with modern communications, says Laura Berger, acting director of the public safety program at the Canadian Civil Liberties Association. “For an increasing percentage of Canadians, especially younger people, text messages are supplanting voice telephone calls. We need to ensure that privacy protections in place [for phone conversations] are not diluted because of changes in technology,” says Berger. [Law Times]

US Government Programs

US – ODNI Signs Transparency Charter; NSA Sharing Plan Worries Rights Groups

Director of National Intelligence James Clapper signed a charter that formally transitions the Intelligence Community Transparency Working Group into the now permanent IC Transparency Council. Senior officials from across the intelligence community have comprised the working group, which was created two years ago. The council will oversee the Transparency Implementation Plan and ensure that transparency “becomes a comprehensive and sustainable practice” throughout the intelligence community. CSM Passcode reports privacy and civil liberties groups urge the NSA and DNI Clapper to reconsider a proposed data-sharing plan with other law enforcement agencies. Meanwhile, the surprise resignation of David Medine could spell trouble for the Privacy and Civil Liberties Oversight Board. Medine was the only full-time member of the five-member panel. [Full Story]

US Legislation

US – Legislative Roundup

Workplace Privacy

CA – OPC Issues Guidance on How to Prevent Employee Data Snooping

Six years ago a bank employee was caught going through the financial records of another staff member who was in a relationship with her ex-husband. The spying had been going on for four years. In another case hospital employees were caught selling patient data for their own gain. With organizations holding huge amounts of personal data on staff and customers, employee snooping — for curiosity or money — is tempting. The federal privacy commissioner suggested 10 ways employers can prevent staff spying on personal data. “Employee snooping poses a serious privacy risk that if left un-checked can cause significant and lasting financial and reputational damage to both your customers and your organization,” the report warns. “By taking the appropriate steps to address this risk … organizations can go a long way in advancing their reputation as a privacy-conscious business, and more importantly, protect their valued customers’ information, with which they have been entrusted.” [Source] See also: [New OPC Guidance regarding Privacy Impact Assessments: At Two Pages, Why Bother?]

CA – Staff Have Privacy Rights Even if Company Provides Devices, CPOs Told

Talk, not spy technology, should be one of the first weapons employers should use if they suspect employee misuse of enterprise devices or data, two lawyers have told a privacy law conference. “I would be cautious about using all kinds of fun and highly efficient but intrusive technologies to monitor your workers’ productivity,” Emma Phillips, a partner at the Goldblatt Partners LLP law firm, told chief privacy officers in Toronto on Thursday. If management has a reasonable belief there’s been misconduct Canadian law potentially allows staff or a device to be monitored, she added, as long as its done in a reasonable way — for example, don’t install keystroke loggers before warning an individual what inappropriate behaviour is, or put up surveillance cameras that cover broad areas where employees work. [IT World Canada]

WW – Cybersecurity Remains Biggest Barrier to BYOD Adoption: Study

Crowd Research Partners’ recent 2016 BYOD and Mobile Security Report, surveying more than 800 global cybersecurity professionals, reveals that 39% of respondents consider security one of their greatest concerns surrounding bring-your-own-device adoption. An additional 12% expressed fears that BYOD would diminish employee privacy, the report states. The study “reveals that enterprise security risks and mobile data breaches are on the rise.” While these threats are serious, they also pose as “an opportunity for organizations to implement effective cybersecurity solutions to strengthen their security posture and capitalize on the promise of enterprise mobility.” [Security Brief NZ]



26 March – April 1, 2016


US – NTIA Face-Recognition Privacy Talks Blasted as ‘Orwellian Farce’

The U.S. Commerce Department’s National Telecommunications and Information Administration held a meeting last week in its ongoing multistakeholder effort to establish face-recognition technology data best practices, and the results disappointed privacy advocates. Advocates argue that representatives from the technology industry “hijacked” discussions on privacy, the report states. The result? “This is no longer a multistakeholder process,” said the Center on Privacy& Technology. “It is an industry stakeholder process. These draft guidelines are a direct consequence of that decision.” Lack of privacy in this sphere is particularly egregious as “you cannot delete your face.” [IB Times]

Big Data

EU – Security Risks Can Be Mitigated with Robust Access Control and Encryption

The EU Agency for Network and Information Security (“ENISA”) examined the security challenges of and best practices for Big Data. Big Data-related security risks include access control and authentication, secure data management, source validation and filtering, and application software security; mitigating measures include strong and scalable encryption, mandated purchasing from authentic suppliers, use of security standard-compliant devices, and assigning confidence levels on endpoint sources. [ENISA – Big Data Security]


CA – Feds Consulting on Open Government and Access to Information

Treasury Board President Scott Brison invited Canadians to participate in public consultations to help deliver the Government of Canada’s agenda for more openness and transparency. In the context of open dialogue, this series of consultations will be used to develop Canada’s 2016-18 strategy on open government, to be released this summer. Beginning May 1, the Government will also be seeking input from Canadians on how best to implement its commitments to improve the Access to Information Act. Minister Brison will kick-off the consultations on open government by hosting a Google Hangout with leading experts and leaders on April 6. [Source]

CA – Spy Agency Watchdog Facing Huge Budget Cuts

The Security Intelligence Review Committee, which reviews select activities of CSIS, expects to lose, on average, $2.5 million annually in funding starting next spring. The confusion comes as CSIS increasingly flexes its new powers granted under last year’s Bill C-51 national security legislation. The service had long been limited to collecting and analyzing national security intelligence for government, but is now empowered to actively disrupt suspected threats to security and to exchange and collate information on suspect Canadians with other federal departments and agencies, which was not possible before C-51. [National Post]

US – Federal Agencies Sharing Information Under Bill C-51 Provisions

At least four federal agencies have used controversial information-sharing powers in Canada’s new anti-terrorism law, internal government documents show. Privacy commissioner Daniel Therrien said Bill C-51 set the threshold for sharing Canadians’ personal data far too low. It’s not surprising that agencies have begun using the information-sharing act, said University of Ottawa law professor Craig Forcese. “The risk is that it’s being used in ways that are going to be difficult to predict because of the overbreadth and uncertainty of that act, and it’s going to be used in ways that are difficult to police,” said Forcese, co-author of False Security, a book that squarely criticizes the omnibus bill. “It’s added complexity to a complex problem rather than simplifying life.” [Source] [Canada’s new ‘anti-radicalisation’ office met with caution by Muslim community]

CA – Guidance on How CSIS Should Use Anti-Terror Bill C-51 Largely Secret

The federal government has issued guidance to Canada’s spy agency on using contentious new anti-terrorism laws — but most of the instructions won’t be made public. Many passages of the ministerial direction to the Canadian Security Intelligence Service, issued last July, were withheld from release due to provisions of the Access to Information Act concerning security, internal deliberations and cabinet confidences. The federal decision to keep much of the ministerial direction under wraps did nothing to reassure those with concerns about C-51, the omnibus security bill that received royal assent early last summer. The legislation gave CSIS the power to actively disrupt suspected terrorist plots, even allowing the spy service to take actions that breach the Charter of Rights and Freedoms as long as a judge approves. “One of our greatest concerns with C-51 is that CSIS has been given extraordinary new powers, including the power to break the law and violate the Constitution,” said Josh Paterson, executive director of the British Columbia Civil Liberties Association. [Source] [How is the Liberal government using Bill C-51? Good question ] [We Must Question The Timing Of This Terrorism Case ]

CA – BC OIPC Launches Investigation on Phone-Monitoring Tool

BC Privacy Commissioner Elizabeth Denham has kicked off a closed-door inquiry of a surveillance tool known as Stingray, which impersonates a cellphone tower in order to deceive any phone within range and obtain data, possibly storing everything it receives. Law enforcement officials from all over Canada aren’t saying if they use Stingray, as the police work to keep their mass surveillance systems under wraps. The BC Civil Liberties Association’s Micheal Vonn condemned the use of Stingray by police: “What we’re saying here is, does it help to collect the data of tens of thousands of individuals that aren’t the subjects of police investigation? No, of course it doesn’t help.” [Full Story] See also [Maryland Court Says Police Must Disclose Stingray Purpose Before Use]

CA – BC Privacy Commissioner Offers Parting Advice

As Information and Privacy Commissioner Elizabeth Denham prepares to move on to a national posting in the UK, she’s got in mind what the B.C. Liberals could give her in lieu of their tentative offer of a second six-year term here at home.

  • Lobbying reform: Denham’s biggest ask is to change the legislation so what is registered is actual lobbying and not prospective lobbying, “It would make enforcement of the law so much more practical and easier for my office. It would also, I think, help lobbyists because they have to register anyone they might prospectively lobby. It would be more meaningful for the public to be able to see actual lobbying and not prospective lobbying. “
  • Denham favours a stand-alone law governing both public and private health care providers. She also says B.C. should follow other provinces and legislate fines of up to $50,000 for unauthorized snooping by health care staffers. “They’re supposed to look at health information for their own patients, not look up information on celebrities, not look at their ex-spouse’s health information,” said the privacy watchdog. “It’s a serious problem of trust in the system, and we need higher penalties and enforcement.”

Denham is also calling for tougher penalties for the deliberate destruction of public records. Her landmark report from last fall, Access Denied, highlighted a series of concerns in that regard. It also led to recent charges against a government staffer for misleading the commissioner about the destruction of records. The charges are not about the action of unauthorized destruction of records,” explained Denham. “We need that in the Freedom of Information and Protection of Privacy Act. We need an offence provision, and we need the associated penalties.” [The Vancouver Sun]

CA – Legal Community Masses Forces for Set Piece Battle Over Privilege

Organized bar groups are massing at the Supreme Court of Canada again to repel what they contend are state attacks on the adversarial justice system. “When, and under what circumstances, can a regulator pry into a lawyer’s litigation brief, while the litigation is still under way, in order to examine the lawyer’s litigation strategy, trial preparation and other material collected or prepared for the dominant purpose of actual or apprehended litigation?” “If the court finds that litigation privilege can be abrogated by inference, it would expose lawyers’ briefs to regulatory scrutiny while litigation is still under way, in the absence of clear and explicit statutory language. This would dramatically expand the circumstances in which regulators could access information protected by litigation privilege.” [Lawyers Weekly]

WW – Software Flags ‘Suicidal’ Students, Presenting Privacy Dilemma

Ontario Christian Schools (OCS) is a private K-12 school near Los Angeles with about 100 children per grade. Three years ago, the school began buying Google Chromebook laptops for every student in middle and high school. The students would be allowed to take them home. Although Google software, like that of other companies, comes with virus protection and the ability to filter search results and block certain Web sites, Ontario Christian Schools turned to a third party to provide an additional layer of security: a startup called GoGuardian. GoGuardian helped school leaders create a list of off-limits websites: porn, hacking-related sites and “timewasters” like online games, TV and movie streaming. The software also has another feature: It tracks students’ browsing and searches whenever they are using the computer, at home or at school. That’s how OCS was alerted that a student appeared to be in severe emotional distress. Suicide is the third leading cause of death among youth aged 10 to 24. Said a research fellow at NYU’s Information Law Institute and an expert on student privacy and data. “This is a growing trend where schools are monitoring students more and more for safety reasons,” she says. “I think student safety and saving lives is obviously important, and I don’t want to discount that. But I also think there’s a real possibility that this well-meaning attempt to protect students from themselves will result in overreach.” This type of dilemma is almost certainly going to become more common, as school-owned devices and laptops proliferate. In 2015 alone, according to a report released this month, U.S. K-12 districts bought 10.5 million devices like laptops and tablets, a 17.5 percent increase over the year before. [NPR] See also: [Student Privacy at Risk Absent Better Training for All] [U.S. Department of Education guidance]


WW – New ‘Commerce VPN’ Site Aims to Make Online Shopping Safer

Launched yesterday, is a VPN for netizens’ credit cards, aiming to spare online shoppers from the fear that their information is stolen, used in targeted ads, or otherwise employed improperly. The site “drops in a one-time credit card number with no connection to you personally” come check out, making it appear as if is the buyer. The site also permits a debit account shopping system, like PayPal, as well as pseudonyms. While the system isn’t bullet proof, the report states, “you get a new layer of insulation from the world of online fraud.” [The Verge]

WW – Internet Users Don’t Understand Security or Privacy: Survey

Canadian think-tank CIGI (the Centre for International Governance and Innovation) reckons ordinary citizens are more comfortable with government oversight of the Internet and their privacy than, for example, Apple. In an international survey (24,000 respondents in 24 countries), the group claims

  • more than 70% want the “dark net” shut down (which rests on the assumption that 70% of people actually know what the “dark net” is).
  • 26% of users don’t trust their governments at all over monitoring their communications without their knowledge (something not highlighted in either of the two CIGI-Ipsos media releases).
  • Only 8.47% of respondents said they trust their governments completely (the citizens that most trust their governments were in Tunisia, at 27%, and Pakistan, at 21%).
  • most respondents don’t understand that unbreakable encryption protects things like their online banking and shopping, as well as protecting criminals: 60% of Americans and 63% of the total sample reckon “companies should not develop technologies that protect law enforcement from accessing the content of a user’s online data”.
  • Regarding access to citizens’ data, the survey says 70% over users think agencies should have access to citizens’ content for “valid national security reasons” (emphasis added), versus 30% who disagreed. [The Register]


US – FTC Signs Agreement with CRTC to Fight Unlawful Spam

The FTC signed a memorandum of understanding with the CRTC in regards to enforcing commercial email and telemarketing laws. The MOU is effective March 24, 2016. The agreement requires both the FTC and the CRTC to limit retention of shared materials, safeguard any shared information containing PII (by using encryption, using a courier with tracking capabilities, using password-protected files for electronic information and locked storage for hard copies, and redaction of publicly released materials), and notify each other of any breaches. [FTC – MoU between the US FTC and the CRTC on Mutual Assistance in the Enforcement of Laws on Commercial Email and Telemarketing| [Press Release]

WW – Google Enhances Gmail Security

Google has made some changes to Gmail to protect users from malicious links and state-sponsored attacks. When users click on suspicious links that arrive in email, Gmail will display a full-page warning them that visiting the site could harm their computer. Users will be able to choose to click through to the site. Google will also display a full-page warning when it believes state-sponsored attackers have targeted users. Google’s blog post also notes the company’s participation in submitting a draft IETF specification for SMTP Strict Transport Security, which aims to “ensure TLS encryption works as intended.” [SC Magazine] [Google Blog]

WW – The Dream of Usable Email Encryption Is Still A Work in Progress

In 2014, in the aftermath of the Edward Snowden revelations, Google and Yahoo, the two largest email providers in the world, promised to change that once and for all with a browser plugin that would make sending encrypted emails so seamless anyone could use it. Yet, Google and Yahoo’s projects on secure end-to-end encrypted email have yet to see the light of day. That’s why some are starting to question how much Google and Yahoo really care about making this happen. In recent interviews with Motherboard, both companies publicly renewed their commitment. “Engineers from Google, Yahoo, and the open source community continue to work together on the End-To-End Mail extension project. It remains a work in progress,” a Google spokesperson said. A Yahoo spokesperson said the team of new security chief Bob Lord “is still cranking on it,” and pointed to the fact that the company even mentioned the project in its amicus brief in support of Apple in the case of the San Bernardino shooter. Neither of the companies, however, dared to venture a prediction on when the final product would be released. [Motherboard]

Electronic Records

US – CyberSecurity Information Sharing Is Here to Stay

The adoption of the Cybersecurity Information Sharing Act in the U.S., among other initiatives both in the U.S. and internationally, are “likely to bring about a significant change in the way information sharing and collaboration works.” Paired with emerging technical standards that “promise to enable efficient information sharing at scale,” we will begin to see how “cyber-threat intelligence is poised to transition from a revenue-generating resource to a public good.” [Hogan Lovells]. See also: [New NIST working group born out of IoT complexities] See also: [Canadian Federal privacy commissioner will watch threat information sharing, says OPCC official] and [IIROC to Focus on Dealer Members’ Cyber Threats Preparedness]

AU – Vic CPDP ‘Catastrophic’ Impact of Info Sharing Failures

Failure to share information effectively between agencies can have “catastrophic consequences”, the report of the Royal Commission into Family Violence has found. It’s not news for Victoria’s Commissioner for Privacy and Data Protection, David Eatts, who said. “It’s disappointing that it takes a royal commission to highlight these issues, because they’re issues our office has been pointing out ever since I was appointed.” Privacy law is often blamed for different agencies being unaware of risks raised elsewhere. Stories abound of justice, drug and alcohol and child protection services, for example, failing to speak to one another and pick up clear warning signs that may have prevented serious harm. But, while the legislation is complicated, Watts argues it’s the overly legalistic and risk averse approach to privacy law, rather than the law itself, that’s the primary problem. Watts’ comments align with those made by his New South Wales counterpart Elizabeth Coombs last year, who argued the problem is with misunderstandings of privacy law, rather than the law itself. [The Mandarin]


US – FBI Unlocks iPhone Without Apple’s Help

The FBI has managed to crack the iPhone in the San Bernardino case without intervention from Apple. The Justice Department has dropped its legal case against Apple and “has asked a United States Magistrate Judge in Riverside, California to vacate her order compelling Apple to assist the FBI in unlocking the iPhone.” [CS Monitor] [ZDNet] [ArsTechnica] [Bloomberg] [Wired] [ComputerWorld] See also: [Apple scrambles to restore iPhone security after losing privacy fight]

EU – Silicon Valley Faces Encryption Fight in Europe

There are growing calls in some European countries for access to encrypted communications in the wake of recent terrorist attacks in the region. Though Apple is in a highly publicized debate in the U.S. about encryption in its devices, the company, along with other companies employing the security technology, may find similar fights in Europe. French lawmakers plan to debate new intelligence laws this week, and the U.K. is currently embroiled in the proposed Investigatory Powers Bill, which would give broad new powers to law enforcement. Other countries, however, including Germany and the Netherlands, do not back laws that would mandate access to encrypted devices. In the U.S., Sens. Dianne Feinstein, D-Calif., and Richard Burr, R-N.C., are seeking support for their encryption legislation. Rep. Jackie Speier, D-Calif., has released a new bill that would require personal information before purchasing a so-called “burner phone.” [New York Times]

EU Developments

US – Bulk Surveillance Court Cases Could stymie Privacy Shield

The Article 29 Working Party is reportedly looking into three cases that will be heard by the European Court of Justice in weighing its own opinion as to whether the EU-U.S. Privacy Shield is valid. According to Reuters, four individuals familiar with the group’s deliberations said the regulatory body is looking at an airline passenger data sharing pact with Canada as well as two other cases involving data retention by telecommunications companies. According to the report, the three cases are relevant to the Shield because they involve restrictions on bulk surveillance. A senior U.S. government official said, “We have negotiated the Privacy Shield based on the current state of law in the EU … If the law changes, we’ll have to go back and relook at how we handle these things.” [Reuters]

Facts & Stats

US – ACLU Maps DoJ Use of All Writs Act to Force Techs to Crack Devices

The Justice Department said tech companies have accessed phones for it before. So the ACLU tried to find all the cases.  The ACLU on Wednesday published court documents and an interactive map for what it said were dozens of instances when the U.S. government tried to compel tech companies to unlock customer devices, offering a fairly comprehensive look at where and under what circumstances law enforcement sought what now might be seen as controversial help. The civil liberties group said it had confirmed 63 such cases and suspected there could be up to 13 more based on its review of court documents and public statements by government and tech company officials. The ACLU said it published the map to stoke public discussion about the use of the All Writs Act. It is also pursuing a Freedom of Information Act request to learn more. [Washington Post]


US – Effects of Copyright Takedown Abuse on Online Free Expression” Study

Three of America’s sharpest copyright scholars have released a landmark study of the impact of copyright takedowns on free expression in America: Notice and Takedown in Everyday Practice, by Jennifer Urban (UC Berkeley), Joe Karaganis (Columbia), and Brianna L. Schofiel (UC Berkeley) uses detailed surveys and interviews and a random sample from over 100,000,000 takedown notices to analyze the proportion of fraudulent, malformed or otherwise incorrect acts of censorship undertaken in copyright’s name, using the Digital Millennium Copyright Act’s takedown procedure. The DMCA is nearly 20 years old, and even before it was passed into law, virtually everyone who was paying attention said that creating a system that allows anything online to be censored through copyright infringement accusations, without due process or even penalties for getting it wrong, would get us into trouble. Now the evidence is in, and it couldn’t be more damning. [Source]

WW – Egypt Blocks Facebook Internet Service After Surveillance Request Denied

After Facebook allegedly prohibited the Egyptian government from using the company’s Free Basics Internet as a surveillance tool, the government blocked the service altogether. Free Basics provides Internet use to those in poverty-stricken areas for free, and Facebook launched the Egyptian version in October of last year. By December, the government suspended the site, saying at the time that permit issues were to blame. Yet sources “close to the situation” maintain that Facebook “was blocked because the company would not allow the government to circumvent the service’s security to conduct surveillance,” the report states. [Reuters]


WW – Panama Papers: Mossack Fonseca Leak Reveals Elite’s Tax Havens

A huge leak of confidential documents has revealed how the rich and powerful use tax havens to hide their wealth. Eleven million documents were leaked from one of the world’s most secretive companies, Panamanian law firm Mossack Fonseca. They show how Mossack Fonseca has helped clients launder money, dodge sanctions and evade tax. The company says it has operated beyond reproach for 40 years and has never been charged with criminal wrong-doing. The documents show links to 72 current or former heads of state in the data, including dictators accused of looting their own countries. Gerard Ryle, director of the ICIJ, said the documents covered the day-to-day business at Mossack Fonseca over the past 40 years. “I think the leak will prove to be probably the biggest blow the offshore world has ever taken because of the extent of the documents,” he said. [BBC]


CA – OIPC BC Opposes Many Recommended Amendments to FOI Legislation

The OIPC responded to the recommendations made to the committee reviewing British Columbia’s FIPPA. The OIPC rejects a number of recommendations as unnecessary; the Law Society’s recommendation to exclude from disclosure to the OIPC all records subject to solicitor-client privilege is rejected because such disclosure may be necessary in the course of the OIPC’s functions and is subject to existing statutory confidentiality safeguards. The OIPC recommended that the law be amended to require a public body to automatically waive fees when it fails to meet its legislated timeline for responding to a request. [OIPC BC – OIPC Response to Stakeholder Recommendations to the Special Committee to Review the Freedom of Information and Protection of Privacy Act]

US – Study Offers Best Practices for Transparency Reporting: Institute

A new report from the Open Technology Institute at New America and the Berkman Center for Internet & Society at Harvard University examines best practices for transparency reporting. “The Transparency Reporting Toolkit: Survey & Best Practice Memos.” is a compilation of eight memos highlighting challenges major U.S. Internet and telecommunications companies face when reporting on law enforcement and government requests for user information. Transparency reports came into prominence after the Snowden leaks in 2013, but the study says technology companies, including Google, Twitter and Microsoft, have not utilized best practices when crafting these reports and it is therefore hard to compare metrics. “By conducting this survey, we’ve laid the groundwork for stronger and more comprehensive transparency reporting on government requests for user data and information,” said the Open Technology Institute. [Source] See also: [Reddit removes ‘warrant canary’ from transparency report] [ACLU released an online map tracking instances of the government’s abuse of the All Writs Act.]

CA – Why Was NEB Deleting an Email Sent In the Middle of the Night?

Canada’s pipeline watchdog is under investigation by Parliament’s information commissioner for deleting an email that drew attention to a mistake made by an employee, said the National Energy Board (NEB). An internal NEB email revealed that the employee who made the mistake was the pipeline regulator’s head of security. The NEB staff believe the deleted email contained references to how the regulator’s top security official had given personal information about a co-worker to a private investigator. But the email disappeared from the records of the Calgary-based NEB after a senior bureaucrat instructed staff to delete it. People can go to jail or pay hefty fines in the thousands of dollars for deleting records of the federal government’s day-to-day business and operations, under Canada’s access to information legislation. The NEB denied it broke the law. An NEB spokesman said that the contents of the deleted email had revealed it shared information about its employee with a potential contractor without verifying the firm’s security clearance. The spokesman also told National Observer that NEB staff decided to delete the email to mitigate the risk of “harm” caused to the employee whose name was mentioned in the correspondence. [National Observer] Fifth in an in depth series about the National Energy Board. Part I here, Part II here, Part III here, Part IV here.

WW – Microsoft Transparency Report for Second Half of 2015

Microsoft’s transparency report for the second half of 2015 shows that the company received 11% more legal requests for information than it did in the first half of last year. In all, law enforcement agencies made 39,083 requests for information regarding 64,614 accounts. Microsoft provided subscriber data for two-thirds of the requests. In two percent of the cases, Microsoft surrendered content, such as email, instant messages, and data stored in OneDrive. Microsoft also received 505 emergency requests for information. [ZDNet] [MSFT blog] [MSFT Transparency Hub] [New Microsoft Transparency Report Includes Revenge Porn Removal Stats]


US – Law Enforcement Investigators Seek Out Private DNA Databases

Investigators are broadening their DNA searches beyond government databases and demanding genetic information from companies that do ancestry research for their customers. Two major companies that research family lineage for fees around $200 say that over the last two years, they have received law enforcement demands for individual’s genetic information stored in their DNA databases. and competitor 23andme report a total of five requests from law agencies for the genetic material of six individuals in their growing databases of hundreds of thousands. turned over one person’s data for an investigation into the murder and rape of an 18-year-old woman in Idaho Falls, Idaho. 23andme has received four other court orders but persuaded investigators to withdraw the requests. The companies say law enforcement demands for genetic information are rare. [Associated Press]

Health / Medical

US – FTC’s Rich Outlines Health Data Protection Efforts, Calls for More Authority

Jessica Rich, the director of the FTC’s Bureau of Consumer Protection, gave testimony to the House Subcommittee on Information Technology and the Subcommittee on Health, Benefits, and Administrative Rules of the Oversight and Government Reform Committee last week, explaining the Commission’s current efforts to safeguard consumer health data, while reinforcing the Commission’s request for expanded authority to go further. Rich spoke about the FTC’s concerns regarding the large amounts of health information data generated on platforms such as websites, wearable technologies and communication portals. While those technologies are not covered under HIPAA, they do fall under FTC jurisdiction. Rich said the Commission has addressed health data privacy and security issues through enforcement, policy initiatives and education, but believes the organization can be more effective in stopping unfair and misleading practices if Congress passes regulation strengthening the Commission’s existing data security authority. [Full Story]

US – Hospital Settles Largest Per Plaintiff Breach Payout in History

A judge ruled that California-based St. Joseph Health System must pay more than $28 million to settle a 31,074-plaintiff class action suit, the largest per-member settlement in data breach history. This result comes after U.S. District Judge Kenneth Hoyt dismissed a similar suit against the organization in 2015, calling the plaintiff’s concern over “heightened risk of future identity theft” insufficient grounds for legal action. As a result of the 2012 breach, the settlement requires defendants to allot $7.5 million for plaintiffs, $7.4 million for lawyers’ fees, $4.5 million for credit monitoring services, and $3 million for identity theft compensation. [Source]

US – Nurse Hands Over License After Texting Compromising Patient Picture

A New York nurse surrendered her license to practice after snapping pictures of an unconscious patient’s genitals and sending them to peers via text. The surrender was part of a plea deal in which Kristen Johnson pleaded guilty to misdemeanor disseminating of unlawful surveillance photos. Her conviction marked the conclusion of a nine-month, Onondaga County District Attorney’s Office investigation after co-workers complained about her texts. [CBS 6 Albany] Police: Former Upstate nurse took pictures of patients’ intimate parts while unconscious | Central NY nurse loses license over cell phone photo]

US – MedStar Health System Infected with Malware

Washington-Baltimore area healthcare provider MedStar Health has shut down some of its computer systems following a malware infection. The organization says its clinical facilities are still open. MedStar operates 10 hospitals and more than 250 outpatient facilities. The FBI is investigating. [eWeek] [The Hill] [Reuters]

Horror Stories

US – Verizon Customer Data Breach

Verizon has acknowledged that a breach of its Verizon Enterprise Solutions unit compromised customer data. Verizon Enterprise Solutions helps companies respond to data breaches. Last week, a post on an underground cybercrime forum offered 1.5 million Verizon Enterprise Solutions customer records for sale. Verizon says the compromised data are “basic contact information [of] enterprise customers.” [Krebs] [eWeek]

US – University of Central Florida Spends $110,000 After Computer Hack

A computer hack affecting the personal information of 63,000 people at the University of Central Florida resulted in a nearly $110,000 invoice for the month of February. The costs include $64,000 to operate the call center where students and staff could learn if their information was compromised, and another $45,000 to print and mail packets warning people of the hack. UCF says their cybersecurity insurance, which comes from an outside company, covered the costs. While UCF has worked to help the victims, the university still faces lawsuits in the aftermath of the data breach. [WFTV 9]

Identity Issues

CA – Ottawa Man Claims Identity Stolen Using Canada Post Website

Mike Wood says someone stole his identity and changed his mailing address using Canada Post’s website. When he called Canada Post, he was told his mail was being forwarded to another address, after someone paid $117 to make the change online. Wood said the postal service official wouldn’t tell him where his mail was ending up, and that police told him they couldn’t help without that information. Wood said Canada Post told him whoever apparently stole his identity would have had to answer multiple security questions. He’s not sure how that’s possible. He added that a Canada Post representative also told him that tax season is a common time for identity theft, because tax forms include social insurance numbers. Canada Post wouldn’t comment about the case, beyond confirming that they are investigating. [CTV News[

Internet / WWW

US – Hogan Lovells Issues Legal Analysis of the EU-U.S. Privacy Shield

Law firm Hogan Lovells has released a 60-plus-page “Legal Analysis of the EU-U.S. Privacy Shield,” whereby the report’s authors assess the likelihood the Shield will withstand legal challenge by referencing jurisprudence of the Court of Justice of the European Union. Their conclusion? “[T]he Privacy Shield Framework provides an ‘essentially equivalent’ level of protection for personal data transferred from the EU to the U.S.” The assembled lawyers, on both sides of the Atlantic, set up “detailed and complex criteria” for assessing the Shield, and “in every instance, we have concluded that each criterion is met.” [HLDA] See also: [Why the cloud makes the EU-US Privacy Shield meaningless  ]

Law Enforcement

CA – Town of Banff Considers RCMP Traffic Camera Use

Banff RCMP want to use the Town of Banff’s downtown traffic cameras to help them solve crimes and nab crooks. At a council meeting last week, council considered a proposal from Banff RCMP to use the traffic cameras to help them solve crimes, but issues of personal privacy first need to be addressed. Town council unanimously directed administration to return with a report considering the Freedom of Information and Protection of Privacy Act (FOIP) implications of using the traffic cameras to help solve crimes. “Banff has a very low crime rate and we live in a very safe community,” said Councillor Karlos Stavros, who voiced support for the move. “We’re not talking about active surveillance at all. It’s about the ability to provide evidence for cases.” The Town of Banff’s traffic cameras, set up at various intersections in the downtown core, are currently used only to capture traffic data to help monitor traffic flow and overall traffic management. One of the camera types takes a still photo every minute and also has potential to take video. Currently, no personal information such as licence plate numbers or car occupant faces is recorded. Banff RCMP wants to expand the purpose of the traffic camera systems, not for ongoing surveillance, but as an investigative tool. [Source]

Online Privacy

EU – France Fines Google Over ‘Right To Be Forgotten’

The French data protection authority said it has fined Google €100,000 for not scrubbing web search results widely enough in response to a European privacy ruling. The only way for Google to uphold the Europeans’ right to privacy was by delisting inaccurate results popping up under name searches across all its websites, the Commission Nationale de l’Informatique et des Libertes (CNIL) said in a statement. [Reuters] [CNIL – Deliberation No. 2016-054 – Google Inc] [Press Release]

Other Jurisdictions

WW – MSFT Creates Special Chinese Government Version of Windows 10

Microsoft is now ready to roll with a version of Windows 10 designed specifically for the Chinese government, it has emerged. Back in December, Microsoft and China Electronics Technology Group Corp  announced they were setting up a Beijing-based joint partnership called C&M Information Technologies. The new organization will develop a specific build of Windows 10 for Middle Kingdom mandarins. This version will be “a government-approved Windows 10 image, including Chinese capabilities such as government selected antivirus software,” and be made available to “state-owned enterprise customers” including “government and critical infrastructure.” C&M “will provide product activation, patch management, deployment services and product support, as needed, to these government customers.” It will also “collect feedback from these government customers on their specific use requirements to inform the creation of the successive updates of the government Windows 10 image, which may be developed by the joint organization.” Presumably this feedback won’t include all the data Windows 10 routinely sends back to Redmond; this telemetry will likely be curtailed seeing as it’s an enterprise-friendly build. [The Register] See also: [US Navy paid millions to stay on Windows XP]

Privacy (US)

US – FCC Votes To Propose New Privacy Rules for ISPs

FCC Chairman Tom Wheeler moved yet another of his controversial proposals forward last week. The commission voted on party lines, 3-2, to advance a proposed rule imposing strong privacy regulations on ISPs. Wheeler wants to improve how ISPs treat individuals’ privacy when the market makes customer data immensely valuable. That data can give providers and analysts a perfect picture of the details making up a person’s everyday life, and the commission’s majority thinks that’s intrusive. The proposed rule would obligate companies to tell their customers what information they collect, how and if they share it with third parties, and how customers can change those privacy preferences. The proposal also would allow ISPs to use consumer data to sell other communications services or share it with outside marketers in that field. But it would allow customers to opt out of those practices. This is only the beginning. Before officials begin drafting final rules, they’ll need to wait for comments from industry members, think tanks and the general public. It’s a controversial idea. Republicans on the commission, GOP lawmakers in the House, and even members of the broadband industry have all pushed back on the proposed rule. The Republican commissioners were vocal about their dissent. The FTC already regulates privacy. [Source] [FCC OKs Proposed Privacy Rules With a Lot of Pushback] [How The FCC’s Proposed Privacy Rules Would Create A False Sense Of Consumer Privacy] [FCC Sparks Turf Wars As It Raises Washington Profile] [EPIC Urges FCC to Broaden Scope, Substance of Draft Privacy Rules]

US – FTC to Host Fall Seminar Series on Emerging Consumer Technology Issues

The FTC will host a series of seminars this fall to examine three new and evolving technologies that are raising critical consumer protection issues. The FTC Fall Technology Series comprises three half-day events that will explore ransomware, drones, and smart TV. In 2014, the Commission held a series of seminars examining the privacy implications of mobile device tracking, consumer generated health data, and alternative scoring techniques. [Drone bazooka is here]

FTC Fall Technology Series: Ransomware – 9 a.m. to noon, September 7, 2016

FTC Fall Technology Series: Drones – 9 a.m. to noon, October 13, 2016

FTC Fall Technology Series: Smart TV – 9 a.m. to noon, December 7, 2016


US – US Federal Agencies and Ransomware

29 US federal government agencies have reported a total of 321 ransomware incidents since June 2015, according to the Department of Homeland Security (DHS). Not all of the incidents resulted in infections, and no incidents resulted in payment of ransom. Last December, Senators Ron Johnson (R-Wisconsin) and Tom Carper (D-Delaware), chairman and ranking member of the Senate Homeland Security and Government Affairs Committee, requested information about agencies’ efforts to protect systems from ransomware. Carper has posted the responses to his website. [FCW] [The Hill] [NextGov] [Results on Senator Carper’s Website] [ComputerWorld: Ransomware Uses Windows PowerShell] [CarbonBlack] [Petya Ransomware Encrypt Master File Table]

US – FBI Seeking Help with Ransomware Investigation

Reuters obtained a copy of a confidential “Flash” advisory, dated March 25, 2016, in which FBI asked companies and security experts for help in its investigation of ransomware known as MSIL/Samas.A. This particular malware tries to encrypt data on an entire network rather than encrypting data on an individual computer. [Reuters] [With regards to Ransomware The Computer Incident Response Center Luxembourg (CIRCL) have released an excellent guide on “Proactive defenses and incident response“] In the wake of a number of high-profile attacks against hospitals, [legislators are moving to update cybersecurity laws to include protection against ransomware threats] [Ransomware not covered by e-health record laws]

US – Three More US Hospitals Infected with Ransomware

Three more US hospitals have disclosed that their systems were hit with ransomware. Methodist Hospital in Henderson, Kentucky information systems director Jaime Reid said the cause of the “Internal State of Emergency” at the hospital was Locky ransomware. Chino Valley Medical Center and Desert Valley Hospital in California were also struck with ransomware; both were operating normally by Wednesday, March 23. [Krebs] [BBC] [ArsTechnica] [NBCNews] See also: [Is Ransomware Considered A Health Data Breach Under HIPAA?]

US – Medical Dispensing Systems Have Remotely Exploitable Flaws

More than 1,400 remotely exploitable vulnerabilities were found in CareFusion’s Pyxis SupplyStation medical dispensing systems. More than half of the flaws found were given a severity rating of high or critical. The issues affect Pyxis SupplyStation versions 8.0, 8.1.3, 9.0, 9.1, 9.2, and 9.3 on Windows Server 2003/Windows XP. Version 9.3, 9.4, and 10.0 running on Windows Server 2008/Windows Server 2012/Windows 7 are not affected. The US Department of Homeland Security’s (DHS’s) Industrial Control System CERT has issued an advisory. [The Register] [SCMagazine] [ComputerWorld] [ICS-CERT Advisory]

US – Investigation Finds Security Gaps in State Department Visa Database

Security gaps discovered in a State Department system could allow hackers to doctor visa applications, or steal sensitive data. Several months ago, the State Department conducted an internal review learning its Consular Consolidated Database, the government’s “backbone” for vetting travels, was in danger of being compromised. The CCD, one of the largest biometric databases in the world, holds the personal information of nearly anyone who applied for a passport. A cyberattack could compromise sensitive information, including photographs, fingerprints and Social Security numbers, making it valuable for hackers looking to steal identities. Hackers could also alter records approving visa applications for individuals linked to terrorism who would normally be rejected. The State Department says it has addressed these concerns, and any vulnerabilities would be difficult to exploit. [ABC News]

CA – Keystroke Loggers Found at Concordia University

Keystroke logging devices were found on several workstations in the Webster and Vanier libraries at Concordia University in Montreal, Quebec. School officials have notified local authorities. [SC Magazine] [University Notice]

WW – Macro Blocking Now Available in Office 2016

Microsoft has added a feature to Office 2016 that allows enterprise administrators to block macros from executing. The feature can be configured for each application and is controlled through Group Policy. It can be used to disable macros in documents that come from the Internet zone. [The Register] [ComputerWorld] [MSFT Blog]


CA – Civil-Rights Group Appeals on Police Use of Cellphone Surveillance

Pivot Legal Society, a British Columbia-based legal-advocacy organization, filed an appeal with the province’s privacy commissioner after Vancouver police refused to disclose documents related to whether they use an invasive technology known as Stingray. …Wednesday was the deadline for interveners to file submissions on Pivot Legal’s appeal. Groups such as the B.C. Civil Liberties Association and OpenMedia argue that police are “stonewalling” attempts by the public to know the extent of the device’s use, which is putting Canadians’ constitutional rights at risk and preventing law enforcement from being held accountable. [Globe & Mail] [B.C.’s privacy commissioner launches inquiry into phone-monitoring device] [Canadian Cops Won’t Say if They Use ‘Stingray’ Mass Surveillance Devices] [Guilty pleas end risk of revealing RCMP surveillance technology]

CA – OIPC AB Finds Condominium Used Surveillance PI for Contrary Purposes

The Alberta OIPC investigated the Grandin Manor Ltd., a condominium corporation, for alleged violations of the Personal Information Protection Act. Unit owners of the condominium provided deemed consent for the collection and use of their personal information by the surveillance system because a majority of owners voted to implement the system and there is proper signage about the use of the cameras; however, personal information from the system was retrieved and used to send a warning letter to an individual for conduct unrelated to maintenance of building security. [OIPC AB – Order P2016-02 – Grandin Manor Ltd]

WW – Surveillance Silences Minority Opinions: Study

A new study published in Journalism and Mass Communication Quarterly found that those who felt their opinions on mass surveillance were in the minority were less likely to express them. The questionnaire exposed some to subtle reminders of government surveillance and others not. Once the idea of government surveillance is introduced, researcher Elizabeth Stoycheff found, participants — even those who indicated they support government surveillance for national security — were less likely to speak out about nonconformist ideas. [Washington Post]

US Government Programs

US – EPIC Scrutinizes DHS “Insider Threat” Database

In comments to the Department of Homeland Security, EPIC criticized a proposed “Insider Threat” database that would gather vast amounts of personal data on a wide variety of individuals outside the federal agency. The database would include information from the Standard Form 86, which is a 127-page questionnaire for national security positions. The form includes SSN, passport and driver license number, and medical reports among other sensitive data. The DHS database will cover broad categories of individuals, including persons who are not under investigation. The database will contain records not only on current and former DHS employees and contractors, but also on family members, dependents, relatives, and personal associates of individuals who are under investigation. EPIC urged DHS to narrow the scope of individuals included in the database and limit the amount of data collected. EPIC also urged DHS to significantly narrow the Privacy Act exemptions for its database and withdraw unnecessary proposed routine use disclosures. The Privacy Act exemptions DHS has proposed would allow the agency to ignore complying with a number of Privacy Act safeguards, including requirements to maintain accurate records and to limit collection to only that information necessary for the detection and prevention of insider threats. Moreover, DHS’s proposed routine uses would allow the agency to disclose database records to numerous entities for purposes unrelated to addressing “insider threats,” including hiring decisions and DHS public relations. Citing the recent surge in government data breaches, including the breach of 21.5 m records at OPM, EPIC warned that DHS data practices pose a risk to federal employees. EPIC has previously advocated for privacy protections in background checks and consistently warned against inaccurate, insecure, and overbroad government databases. s

US Legislation

US – Senate Passes FOIA Reform Bill

The Senate passed by unanimous consent the Freedom of Information Improvement Act of 2015. The bill, cosponsored by Senators Patrick Leahy (D-VT) and John Cornyn (R-TX), requires federal agencies to operate under a “presumption of openness,” and places time limits on the FOIA’s Exemption 5. Exemption 5 is most commonly invoked to protect the “deliberative process privilege” of inter- and intra-agency memoranda. The FOIA currently places no time limit on the exemption. The bill also seeks to strengthen the Office of Government Information Services (OGIS) and require new reporting on the use of exemptions and audits of agency FOIA processes. In promoting the legislation, Senator Leahy said the bill “will help open the government to the 300 million Americans it serves and ensure that future administrations place an emphasis on openness and transparency.” The House passed a similar bill in January 2016. Differences between the two versions must now be reconciled before President Obama can sign the bill into law. EPIC and a coalition of open government advocates previously urged the President to support the bipartisan legislation, pressing the President to honor his commitment to an “unprecedented level of openness” in his administration by pushing Congress to update the FOIA. The coalition identified six core ways the FOIA should be updated: (1) codify a presumption of disclosure; (2) require agencies seeking to withhold information to show foreseeable harm; (3) require agencies to weigh the public interest when withholding under Exemption 5; (4) exclude from Exemption 5 records older than 25 years; (5) waive fees when agencies miss statutory deadlines; and (6) expand the role of OGIS.




18-25 March 2016


CA – Trudeau Doubles Counter-Radicalization Spending, Zip for SIRC

The Canadian government is doubling its support for programs to prevent radicalization, but couldn’t find any new cash for the overworked agencies that keep tabs on the country’s spies. Amid controversy last year over Justin Trudeau’s support for anti-terrorism Bill C-51, the Liberals pledged to create an office that would tackle radicalization. In its first budget this week, the government revealed the new office of the Community Outreach and Counter-radicalization Co-ordinator will receive an additional $35 million over five years. The officials say the domestic anti-radicalization money supports “a whole-of-government approach” that involves the RCMP, CSIS, border agents, local governments and community groups. [Source] See also: [Ottawa Citizen: PM Says Not ‘At War’ but Increases Use of Hated C-51 Powers]and [Angus Reid Survey Finds Huge Support for C-51]

CA – Canada Endorses Deal to Share Canadian Banking Records with IRS

Two Liberal cabinet ministers who had criticized a controversial agreement to provide Canadian banking records to the U.S. Internal Revenue Service now say they support the deal. Speaking on the way into a cabinet meeting, Treasury Board President Scott Brison and Transport Minister Marc Garneau rallied behind the position adopted last week by Revenue Minister Diane Lebouthillier, supporting the deal struck under the Harper government that saw 155,000 Canadian banking records shared with the IRS last September. [iPolitics] [Revenue Minister Asked to Testify on Records Transfer to IRS]

CA – Could Take Up To a Year to Swear-in a New BC Privacy Commissioner

Premier Christy Clark’s cabinet may appoint a temporary replacement for B.C.’s privacy watchdog, after the abrupt departure of commissioner Elizabeth Denham caught MLAs who were planning to re-appoint her by surprise. Denham told government this week that the United Kingdom had nominated her as its new information commissioner, and she would leave her B.C. post when her term expires on July 6. The all-party committee of the legislature is now faced with the potentially lengthy process of launching a global search for her replacement, which the committee’s deputy chair admits may not be finished before Denham leaves in July. The normal procedure would be for the all-party committee to make a unanimous recommendation to the legislature, and the legislature to affirm that choice. But if the committee can’t agree on a name before Denham leaves in July, cabinet has the power to slot its own candidate as acting commissioner. That person would serve until the committee makes its choice. The entire process, including legislative confirmation, could take up to a year if government doesn’t convene a fall session. [Source] [BC’s Info and Privacy Watchdog Departs for Britain] [B.C. privacy commissioner Elizabeth Denham moving on to bigger things ]

CA – Alberta Court Finds It Is Not Urgent or Necessary for Law Society to Review a Former Member’s Phone and Computer Records

The Law Society of Alberta sought an order compelling Justin Sidhu to produce records in compliance with the Legal Professions Act. An order compelling access to a former member’s cellphone and computer records following his conviction on charges drug trafficking is denied; if the conviction is upheld on appeal that would be proof of the misconduct and therefore the need for the information is neither urgent nor necessary at this time. [Law Society of Alberta v Sidhu – 2016 ABQB 142 CanLII]

CA – Nunavut Making Little Progress on Access to Info Changes

The Government of Nunavut’s efforts to make the administration of its municipalities more transparent has stalled. That’s because consultations with community governments on how to bring their operations under the Access to Information and Protection of Privacy Act are at a “standstill,” according to Nunavut government documents. “In the past year, consultations with municipalities have been at a standstill due to capacity issues within the ATIPP office,” the GN said in a document tabled March 15 in the Nunavut legislature. In the document, the GN responds to 11 recommendations made by a standing committee of MLAs, which reviewed the 2014-15 annual report by Nunavut’s information and privacy commissioner. [Source]

CA – SCC to Hear 2nd Case Involving Jurisdiction and the Internet

On March 10, 2016, the Supreme Court of Canada granted leave on a second recent case involving jurisdictional issues and the internet: Douez v. Facebook, Inc., 2015 BCCA 279. Douez involved a BC resident plaintiff who sought to sue Facebook for a breach of privacy arising from the use of her name and her portrait without her consent. The proposed class action suit would be based on a claim that Facebook’s practice of featuring the name and image of individuals in relation to certain advertisements amounted to a breach of s. 3 of BC’s Privacy Act—a statutory cause of action which only applied within BC. At first instance, the BC Supreme Court concluded that BC was a proper jurisdiction, was not forum non conveniens, and granted certification. However, on appeal that certification was dismissed. The result on appeal arose from a forum selection clause in the Facebook Terms of Use. Applying the established test from Z.I. Pompey Industrie v. ECU-Line N.V., 2003 SCC 27, the BC Court of Appeal concluded that there was not “strong cause” to decline to enforce the forum selection clause, and therefore stayed the proceeding. As with the recent leave to appeal granted in the Equustek case, the Douez decision explores an important aspect of court jurisdiction over disputes involving online conduct. Where Equustek examined cases not governed by binding terms of service, Douez will provide some parallel insight into situations where terms of service purport to limit the ability of Canadian courts to address online disputes, particularly where such terms may come into conflict with geographically limited causes of action. Given the similar jurisdictional issues raised as between Douez and Equustek, and the proximity in time that the cases were granted leave, it is likely that the court will hear and consider both matters together. [Mondaq]


US – House Lawmakers Launch Encryption Working Group

The Chairmen of two House Committees have announced the creation of an encryption working group to examine the complicated legal and policy issues surrounding encryption; the group will identify potential solutions that preserve the benefits of strong encryption while also ensuring law enforcement has the tools needed to keep Americans safe and prevent crime. The House Judiciary Committee and Energy and Commerce Committee have primary jurisdiction over encryption and the issues it presents for citizens, law enforcement, and American technology companies. [Committee on Energy & Commerce] [FCW]

EU Developments

UK – ICO Releases 12 Step Guide on the GDPR

The UK Information Commissioner’s Office released its first guidance on the General Data Protection Regulation (GDPR): the 12 steps that businesses can start taking now to prepare for the GDPR. The ICO also launched a new microsite on the GDPR. Here is a summary:

  • Ensure awareness amongst key stakeholders in the organisation.
  • Document the personal data that they hold, where it came from and with whom they share it.
  • Review current privacy notices and put a plan in place for making any necessary changes.
  • Check existing procedures to ensure that they cover all the rights data subjects now have.
  • Look at the various types of data processing they carry out, identify and document legal basis.
  • Ensure process and procedures are documented – to help demonstrate compliance with the accountability requirements. [Source] [Press Release] [blog entry]

EU – EDPS Releases Guidance on Information Security Risk Management

The European Data Protection Supervisor has released new guidance on Information Security Risk Management, “which advises EU institutions on how to ensure a secure and trustworthy digital environment for the information that is essential for the functioning of their services.” “The security of personal data is a legal requirement, but it is also necessary in the interests of organisations that rely on the use of information for their daily business … I urge the hierarchies in the EU institutions to engage in the tailored development and use of information security risk management processes to address the specific needs of their organisation.” [EDPS Press Release]

EU – Other European Privacy News


CA – MasterCard and Bank of Montreal Launch ‘Selfie Pay’

Bank of Montreal customers who use MasterCard to make online purchases will be taking selfies for a whole new reason this summer, as BMO becomes the first Canadian bank to support MasterCard’s new Identity Check mobile app, colloquially known as “selfie pay,” the companies announced. So far, around 200 BMO employees with corporate credit cards have been signed up for the biometric-based feature, which complements the company’s existing MasterPass service by using facial recognition and fingerprint scanning technology to verify online payments. [IT Business]


CA – Revised Edition of Sedona Canada Principles is Published

The Sedona Canada Principles are revised in a second edition. Principle 2 (proportionality) has been revised to create a 5-part test for applying the “reasonableness” principle; principle 7 (electronic tools) recommends that the parties agree in advance on the tools to be used, and principle 11 (sanctions) is revised to recommend that the Court consider sanctions where a party fails to meet its discovery obligations. [New Edition of the Sedona Canada Principles for E-Discovery – Kirsten Thompson, Partner, and Nolan Hurlburt, Associate, McCarthy Tetrault]

CA – OIPC BC: Records Fall Outside the Scope of FIPPA and Can Be Withheld

The OIPC BC reviewed a decision by the Office of the Police Complaint Commissioner to deny access to records requested pursuant to FIPPA. For records to be except from FIPPA, due to provisions under the Police Act, they must relate the operational records, but not administrative records; based on the video evidence provided the records at issue are operational records of the Police Complaint Commissioner because they are part of a specific case file and relate to the exercise of the Police Complaint Commissioner’s functions under the Police Act. [OIPC BC – Order F16-13 – Office of the Police Complaint Commissioner]

Health / Medical

US – Next Phase of HIPAA Audits Has Begun

The government’s Phase 2 HIPAA audits began March 21. Phase 2 will consist of 200 desk and on-site audits of both covered entities and business associates. The compliance audits are intended to determine if health-care organizations and their contractors are complying with HIPAA privacy and security rules. The first phase of the HIPAA audits was conducted as a pilot program in 2011 and 2012, focused solely on covered entities, while Phase 2 will include both covered entities and business associates. The desk audits are expected to be completed by December, while the more comprehensive on-site audits will begin later in the year. The OCR has reached nine major settlement agreements regarding HIPAA breaches since last March, resulting in a total of $11 million in fines. Some of the lessons learned as a result of the OCR’s enforcement efforts, included the need for companies to:

  • safeguard all paper records, even if most records have migrated to an electronic format;
  • maintain business associate agreements with all business associates;
  • perform a comprehensive risk analysis of all sources of protected health information, not just electronic health records; and
  • translate the results of a risk analysis into a robust risk management plan.

[OCR fact sheet on the Phase 2 audits] [BNA]

US – GAO Identifies Healthcare.Gov Security Weaknesses

The Government Accountability Office released a report identifying several weaknesses in the security of In a span stretching from October 2013 to March 2015, the Centers for Medicare & Medicaid Services reported 316 security-related incidents affecting the site. The breaches mostly consisted of mailing sensitive information to the wrong recipients and the probing of CMS systems by potential attackers. Despite CMS’ efforts to protect the privacy and security of the data maintained through the systems supporting, the GAO noted various trouble spots, including faults in technical controls that could place sensitive information at risk for unauthorized disclosure and controls that protect data flowing through data hubs. The GAO, however, noted that hackers did not successfully compromise any personally identifiable information during that span. [Full Story]

US – Two Hospitals Held For Ransom

Hackers held the computer systems of two California-based Prime Healthcare Services’ hospitals for ransom last week. A Prime Healthcare spokesman said that the incident didn’t cripple the internal systems, hospitals remained “operational,” and the FBI is investigating the incident. While not elaborating on the ransom, he called the situation “similar to challenges hospitals across the country are facing.” Meanwhile, Chubb’s Global Cyber Risk Practice announced the launch of a ransomware service for policyholders. “Many businesses are not equipped to deal with a cyber-extortion attempt, where the timeliness of the response is even more critical,” said Global Cyber Risk. [Kaiser Health News]

WW – Diagnosis by Smartphone Risks Patient Confidentiality: Researchers

Doctors who photograph skin conditions using unsecured, personal mobile phones could be breaching patient privacy. In an article in the Medical Journal of Australia, researchers say using telemedicine for diagnosing dermatological conditions was popular because it sped up treatment and improved patient outcomes, particularly in regional areas where there are few specialists. However doctors and medical institutions endangered patient privacy, as well as their own indemnity insurance and confidentiality clauses of their employment contracts, if they failed to protect confidential patient records by using unsecured mobile phones and emails. [Source]

Internet / WWW

WW – GPEN Issues 2016 Annual Report

The Global Privacy Enforcement Network (“GPEN”), an informal network of 59 privacy enforcement authorities in 43 jurisdictions around the world, has released its 2015 annual report. Highlights:

  • Launched GPEN Alert, a new information sharing system that enables participating authorities to better coordinate international efforts in protecting consumer privacy.
  • 18 teleconferences held in the Atlantic and Pacific regions to connect authorities and to build and share expertise. Two face-to-face meetings in Ottawa and Amsterdam
  • Third annual Privacy Sweep spotlighted the privacy practices of websites and apps targeted specifically at, or popular with, children. [Report]

Law Enforcement

UK – Police Create Mega Crime Database for “Predictive Policing”

The police are to consolidate a number of their large databases into a single “platform” in order to “protect victims and spot potential links to other crimes.” The plans for a “National Law Enforcement Data Programme” were announced by the Home Office this week and will bring together data from the Police National Computer, Police National Database and Automatic Number-Plate Recognition (ANPR) systems “onto a single platform.” However, last year the legality of the ANPR database – which collects a “record for all vehicles passing by a camera… including those for vehicles that are not known to be of interest at the time of the read“ – was called into question by the Surveillance Camera Commissioner. The National ANPR data centre now holds information on 22 billion car journeys. Other measures contained within the Modern Crime Prevention Strategy (PDF) include an “explicit focus on data and technology” and the use of “predictive policing”. [Source] [UK tech industry welcomes government’s new anti-crime strategy]\

US — Study: Punishments for Police Database Misuse Should Increase

Police who abuse official law enforcement databases must receive stronger penalties, says a civilian oversight agency. A study by the Denver Office of the Independent Monitor documented 25 cases of the city’s police misusing the database in the past 10 years. “These databases contain vast amounts of personal information about the American public, including community members in Denver,” said the agency’s Independent Monitor. “When they are misused, reprimands are not commensurate with the seriousness of that violation, and may not be strong enough to deter future abuse.” [New York Times]

CA – Retired Police Chief Keeps (Unwiped) Work Devices

The City of Hamilton Police Services Board did not delete sensitive data from former Chief Glenn De Caire’s police-issued laptop and mobile phone, items he was able to keep post-retirement. This potential oversight sparked privacy concerns, but law enforcement officials say there’s nothing to fear. “I don’t know whether he downloaded anything,” said the Police Services Board Chair Lloyd Ferguson. “I trust Glenn and I don’t know whether he would’ve saved anything to the hard drive.” That problem is bigger than that, argued Ryerson University’s Ann Cavoukian. “It’s not that we don’t trust the former police chief. It’s that accidents happen,” she said. “I don’t want to suggest otherwise, but nonetheless this material has to be governed by strict policies and protocols.” [CBC Hamilton]

CA – Ontario Provincial Police Investigating Unlawful Prison Surveillance

Correctional Service Canada’s use of surveillance inside a federal prison has sparked an official investigation by the Ontario Provincial Police and a lawsuit from the jail guards. Officials used cell-site simulators, or IMSI catchers, to locate prisoners’ contraband cellphones, but the technology also grabbed private data from the guards’ cellphones as well. Indiscriminate surveillance programs can be considered a violation of the Criminal Code, but lawyers argue that this may be tricky to prove, as there is a lack of legal precedent that exists for prison surveillance. Regardless, “CSC officials have recently stopped giving statements to lawyers pursuing the civil suit,” the report adds. [The Globe and Mail]

Online Privacy

US – Medical Organizations, Facebook Sued in Class Action

In a new class-action lawsuit, plaintiffs claim Facebook spied on users who relayed private health information on major cancer institutes’ websites in order to make profit off the data in advertising revenue. Winston Smith has sued Facebook, the American Cancer Society, the American Society of Oncology and five others alleging Facebook uses the private health data it takes from the medical institutes’ websites, which feature a secret “Facebook code” capable of transmitting users’ data to the social media site, to create targeted advertising campaigns. [Courthouse News Service]

WW – Facebook Appeals to Advertisers Seeking Certain Groups Via Race-Based Marketing

Facebook’s has launched new race-based marketing campaigns. In a recent campaign, ads for N.W.A.’s “Straight Outta Compton” were served in different ways to three different audiences: black, white or Hispanic. Facebook calls it “ethnic affinity” targeting, and it’s been pushing it since 2014. It appeals to advertisers seeking a certain group. But Facebook users aren’t required to declare their racial or ethnic identity in their profiles. A Facebook executive explained that to construct a profile of a user’s identity, the company looks at “indicators” like your interests, friends and organizations you belong to. [Ars Technica]

WW – Adobe Unveils Cross-Device Targeting Co-Op

Adobe has announced plans for cross-device targeting, which would not only notify technologists when the same individual is using different devices, but also provides companies a new way to target ads. To do so, members of the new Adobe Marketing Cloud Device Co-op will share data with each other. “So if Company X has been able to use login data to establish that two devices belong to the same person, other members of the co-op take advantage of that fact and tailor their advertising accordingly.” The plan has sparked privacy concerns, but Adobe said the participating advertisers must opt-in, and the shared data is not personally identifiable. [TechCrunch]

WW – The Impact of Your Data Footprint

It’s no mystery to most privacy professionals, but the impact one’s data footprint can have on everyday life is beginning to be well chronicled in mainstream media. Fast Company published a long-form work on the myriad decisions that are made via personal data, often without the data subject’s knowledge. From the presence of police in your neighborhood (or not) to the potential dates you’re presented with on your dating site of choice to the job you are offered (or not), the report details how data may be impacting your life experiences. The article’s conclusion? “[E]thical considerations need to be guiding us.” [Full Story]

Other Jurisdictions

AU – NSW Statutory Cause of Action for Invasions of Privacy?

The NSW Legislative Council Standing Committee on Law and Justice has recommended in its report Remedies for the serious invasion of privacy in New South Wales the establishment of a statutory cause of action for serious invasions of privacy. The Committee recommended that, in establishing the statutory cause of action, it should be based on the Australian Law Reform Commission’s (ALRC) model detailed in its 2014 report Serious Invasions of Privacy in the Digital Era (which was the subject of considerable focus during the Committee’s inquiry). The report’s recommendations were made by MPs from four parties, including those of the Coalition, so this is clearly an idea in the mainstream of NSW political thought. Nothing will happen, however, until the NSW Government’s response to the report, which is expected by 5 September 2016. [Clayton Utz Insights]

Privacy (US)

US – FTC Fines Data Broker $4,000,000 for Selling Sensitive PI Without Consent

The FTC entered into an agreement with Sitesearch Corporation et alia following alleged violations of the FTC Act. The data broker is permanently restrained from selling, transferring, or otherwise disclosing a consumer’s sensitive personal information to any third party without consent, it must not misrepresent that a consumer has authorized or consented to the purchase of a product or service, or the nature or terms of any refund, cancellation, exchange, or repurchase policy. [FTC v. Sitesearch Corporation – Final Judgment and Order for Injunctive and Other Relief – United States District Court for the District of Arizona]

US – NY Contractor Fined $3.1M for Outsourcing Government PI to India

A New York contractor will pay $3.1 million and undergo oversight for the next five years for violating a contract that involved outsourcing the personal information of millions of individuals to a company in India. Focused Technologies Imaging Services was tasked with digitizing 22 million files maintained by the State Division of Criminal Justice Services, which included fingerprints, Social Security numbers, signatures and dates of birth. For $82,000, the company shipped the files of millions of individuals to an Indian-based company for processing. Though the state contract required Focused Technologies’ employees pass background checks prior to processing as an added protection for the records, the company to which the records were outsourced did not conduct background checks on its employees. [The New York Times]

US – Hulk Hogan Wins $115M in Privacy Invasion Case

A jury awarded former wrestler Hulk Hogan $115 million (About $1,138,613 per second) after finding that news site Gawker violated his privacy by publishing a sex tape of Hogan without his consent. The jury awarded Hogan $60 million for emotional distress and an additional $55 million for economic damages, with the possibility of more. “This is a victory for everyone who has had their privacy violated,” said Hogan’s attorney. University of Miami School of Law professor Mary Anne Franks said, “People are thinking a little bit more about the concept of what is newsworthy, because what’s changed is the concept of who a public figure is.” The case comes a week after sports reporter Erin Andrews won $55 million for having her privacy violated by a stalker. [Reuters]

US – Gawker Hit With $25 Million in Punitive Damages

A Florida jury ruled that in addition to its $115 million fine, Gawker must pay $25 million in punitive damages for posting wrestling star Hulk Hogan’s sex tape online without consent. The jury also required the news outlet’s CEO Nick Denton to pay a $10 million fee. “I think we made history today, because I think we protected a lot of people today who may be going through what I went through,” Hogan said. The company said it would appeal the ruling. “We are confident we will win this case ultimately based on not only on the law but also on the truth,” Gawker said in a statement. [Reuters]

Privacy Enhancing Technologies (PETs)

US – Tool Puts Users in the Data-Access Driver’s Seat

Massachusetts Institute of Technology and Harvard University research teams are developing a tool that gives mobile users the “final say” on how and when their data is accessed by applications. The cryptography-based program, called Sieve, encrypts and stores user information in the cloud, dispensing data-access requests to the user when an application wants to employ the data. [ZDNet]


US – Study: Cybersecurity Pros Hesitant to Share Threat Intel

A new McAfee Labs survey of 500 private-sector companies indicated that more than a third of cybersecurity professionals “remain hesitant” to share threat intelligence with members of other industries. 63% of respondents would participate in reciprocal threat sharing. The problem, according to the study, lies in companies’ “misunderstanding” of the information appropriate to share. “When an organization begins to implement a [cyber-threat intelligence] sharing effort, it runs afoul of policies that dictate that no confidential data or [personally identifying information] can leave the organization. This is, of course, generally a good policy but the lack of understanding of the content being shared becomes self-defeating in this case.” [FedScoop]

US – OMB Study: 77,000 Cyber Incidents Hit Government in 2015

An Office of Management and Budget annual performance review found that 77,000 “cyber incidents” befell the U.S. government in 2015, a 10% increase from 2014. The study defines these incidents as “a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices,” and names the government’s increased ability to identify data breaches and employee security gaffes as partly responsible for the larger total, the report states. Regardless, “malicious actors continue to gain unauthorized access to, and compromise, federal networks, information systems, and data,” the study said. [Reuters]


US – NYCLU Says Cities Free Wifi Building ‘Massive Database’

When New York started replacing its pay phones with wifi kiosks in January, the new free internet access was met with a great deal of excitement, particularly over the network’s speed. The beta launch included just a dozen wifi hubs, but the city plans to convert 7,500 phone booths over the next few years so that free wifi is as ubiquitous as the yellow taxi in New York. But now, concerns about privacy are beginning to emerge. The New York Civil Liberties Union (NYCLU) accused the city of using its new public wifi system, LinkNYC, to “build a massive database,” complaining that the company behind the program, CityBridge, can keep a vast amount of information about wifi users, per its privacy policy. “In order to register for LinkNYC, users must submit their e-mail addresses and agree to allow CityBridge to collect information about what websites they visit on their devices, where and how long they linger on certain information on a webpage, and what links they click on. CityBridge’s privacy policy only offers to make “reasonable efforts” to clear out this massive amount of personally identifiable user information, and even then, only if there have been 12 months of user inactivity. New Yorkers who use LinkNYC regularly will have their personally identifiable information stored for a lifetime and beyond.” The group sent a letter to Mayor Bill de Blasio’s office enumerating their concerns about the vagueness of the privacy policy. The letter lists three main concerns: how long user data will be retained, unclear language about government requests for user data, and whether the “environmental sensors and cameras” that sit on the new wifi hubs will feed into the Domain Awareness System, a city-wide police surveillance network. As of late 2013, 57 cities had municipal wireless systems of some sort, a number that has and will continue to grow.  [Fusion]

Telecom / TV

US – FTC: We’ll Be Watching for TV Habit-Tracking Apps

The FTC is advising mobile app developers that it has its eye on technology that could allow phones to monitor TV viewing habits and relay that to targeted third-party advertisers. In a blog post this week, the FTC pointed out it was sending letters—from the associated director of the Privacy and Identity Protection division—to app developers whose apps use software created by Silverpush that runs in the background and enables phones to “listen” for embedded audio signals in TV programs to determine what TV shows or ads are playing (sort of like a Shazam for TV content), even when the app is not being actively used. The app “could” create a log of such TV content. [Source] [FTC Raps Android Developers For Using SilverPush Software]

Workplace Privacy

US – Study: Employees Deserve Privacy Laws

In a forthcoming California Law Review paper titled “Limitless Worker Surveillance,” the authors argue that the government should establish employee surveillance protection laws that would balance an employer’s right to efficiency and a worker’s right to privacy in an increasingly connected world. “While employers have a reasonable interest in ensuring the productivity of their workers and in dissuading misconduct in the workplace, that interest does not outweigh the human right to privacy and personal liberty in domains that have been traditionally considered as separate from work and the workplace,” the research states. They dub their proposed law the “Employee Privacy Protection Act,” and maintain that the same legal protections should be extended to health care workers, as well. [Information Week]



08-18 March 2016


CA – Researchers Considering Iris Biometrics to Help Homeless Get Healthcare

A Canadian research project is looking at the use of iris recognition to help homeless people get around the problem of accessing healthcare without proper identification. The iris recognition project will begin later this month with researchers asking those at select temporary shelters whether they’d be comfortable having their iris image captured to be used as a form of ID. An algorithm developed by engineering students at Western University will turn those images into a number that will become the test subjects’ unique ID numbers. Ontario NDP member of provincial parliament Peggy Sattler said, “This (project) is not intended to stigmatize homeless people. It will shed light on how this could work and it can help homeless people have access to health care.” In fact, the technology could also be expanded for all Ontarians, Sattler said. “There are 100,000 more OHIP (Ontario Health Insurance Program) numbers than there are Ontarians.” “Eventually, you could get an iris scan at your doctor’s office and it would go into some kind of database, and every time you access health care, you don’t need a card.” Details about the storage and protection of the biometric data have yet to be worked out. [London Free Press]

Big Data

WW – Twitter, Dove Using Data to Raise Body-Shaming Awareness

Dove unveiled the newest development in its #SpeakBeautiful campaign last week, a tool developed with Twitter that tracks a user’s body-centric buzzwords on the site. The tool issues a link to a user’s own “custom microsite” after they retweet Dove’s official content. The microsite then shows users their own Twitter data, comparing how their “negative tweets stack up to other women.”“ [AdWeek]


CA – OPC Outlines Recommendations for Modernizing the Privacy Act

The Privacy Commissioner of Canada welcomes a Parliamentary committee review of the Privacy Act and has unveiled his priorities for modernizing the law governing how the federal government handles personal information, which has remained largely unchanged since it was proclaimed in 1983. The OPC recommended changes under three broad themes: Responding to technological change, legislative modernization and the need for transparency. The Privacy Act should be amended to

  • Require that all information sharing be governed by very explicit written agreements;
  • Create an explicit requirement for institutions to safeguard personal information, as well as a legal requirement to report breaches to the OPC;
  • Broaden the grounds to seek a Federal Court review to include all contraventions of the Privacy Act, not just denials of access to personal information;
  • Require government departments to consult the OPC on bills that impact privacy before they are tabled in Parliament;
  • Allow the OPC to report in a more timely and proactive manner on the privacy practices of federal institutions, beyond annual and special reports to Parliament; and
  • Extend the application of the Privacy Act to all government institutions, including Ministers’ Offices and the Prime Minister’s Office.

Commissioner Therrien also urged Parliament to consider regulating the collection, use and disclosure of personal information by political parties, but noted the Privacy Act is probably not the best instrument to do this. [Commissioner Therrien’s full statement]

CA – Alberta Privacy Commissioner Aims to Bring Non-Profits Under Provincial Privacy Legislation

The AB OIPC has recommended to the standing committee on Alberta’s economic future that nonprofits should comply with privacy legislation. The Calgary Sun reports that more than 20,000 nonprofits have been exempted from complying with privacy legislation. Privacy Commissioner Jill Clayton wants to eliminate this exemption as her office was only able to address 9% of the privacy complaints it received regarding nonprofits last year. [Calgary Sun]

CA – Nova Scotians Not Keen on Tech Saving Them Money on Car Insurance

Several insurance companies in Nova Scotia are offering a program that allows people to save up to 25% on their car insurance, but few people are opting to take part, according to OTC insurance and the Insurance Bureau of Canada. In order to apply for the discount, people have to volunteer to install what’s known as a telematics device in their car. The small device is installed under a car’s steering wheel and records an individual’s driving habits for six months. The device records things like driving distances, the time of day the car is driven, and sudden acceleration or braking. At the end of the six months the device is turned over to the insurance company and it uses the data to determine if the user should get a discount on their insurance. “We’ve been advertising quite heavily on the radio and seems like people are very leery about having this device in their vehicle for the insurance companies to look at.” David Fraser, a privacy lawyer, has mixed feelings about telematics. “Once this information is generated, it exists and it can be used for other purposes. It can be subpoenaed in connection for with a lawsuit, the police could get a search warrant and it just adds to the amount of digital debris that we leave behind in the run of the day.” He also questions how accurate the information will be and how it will be interpreted. [CBC News]

CA – BC Law gives Coroners Wide Power to Protect Privacy of the Dead

The BC Coroners Service has refused to release the medical records of a murder victim asserting the deceased still has privacy rights. There aren’t any Freedom of Information and Protection of Privacy Act provisions that compel “public bodies … to disclose certain types of information,” said Michelle Mitchell, communications officer for the Office of the Information and Privacy Commissioner for British Columbia. “Therefore, it is not within the commissioner’s powers to require a public body to include specific kinds of information in a report,” she added. [Vancouver Sun]

CA – Trudeau Agrees to Hand Over Even More Data About Travelers to the US

Justin Trudeau’s pilgrimage to Washington has produced one clear result. Canada’s new Liberal government says it will push through a long-delayed plan to share with Washington biographic and other information on Canadian citizens travelling overland to the U.S. The Americans, in turn, will reciprocate. [Source] [US Travel cheers expansion of Border Preclearance Program in Canada] The announcement came as a sidenote to the climate change strategy announced by the two leaders, with fanfare, in DC on last week. “The government of Canada has assured the U.S. it will complete the last phase of a coordinated entry and exit information system so the record of land and air entries into one country establishes an exit record from the other,” the statement from the two leaders reads. Obama framed the deal around stemming the flow of foreign fighters between the two countries — even though evidence for that supposed trend appears to be non-existent — but the effects of the deal could impact the privacy rights of all cross-border shoppers, tourists, and anyone else who crosses the world’s largest land border. The entry/exit deal dates back to the 2011 ‘Beyond the Border’ plan to boost security and reduce trade restrictions between the two countries. The 2011 plan commits the two countries to “establish coordinated entry and exit systems at the common land border” and “exchange biographical information on the entry of travelers, including citizens, permanent residents, and third country nationals” whenever they cross one country into the other. But that part of the plan never came into force, at least not as envisioned. Canada began sharing information with its American counterparts on all third-country nationals — border-crossers who were neither American nor Canadian — but never began doing so for its own citizens, even though it committed to start in June 2014. [Source] [Op-Ed: Canada to share information with U.S. on land border crossers] [Canada, U.S. to share more passenger information ] [Trudeau quietly agrees to share info on Canadians with U.S.]

CA – CSIS Head Says New Powers to Disrupt Plots Used Almost 2 Dozen Times

The head of Canada’s spy agency told a Senate committee that his agency has used its extraordinary powers to disrupt extremist plots close to two dozen times since the fall of 2015. Michel Coulombe, director of CSIS, made the admission to the national security and defence committee, revealing for the first time how frequently this power was used. Canada’s spy agency was granted the power to disrupt suspected plots rather than just relay information about those plots to the federal government and the RCMP when Bill C-51 became law this past summer. [CBC] [CSIS hasn’t crossed line with controversial new powers under Bill C-51, director tells Senate committee]

CA – Toronto Fire/Paramedic Services to Post Emergency Call Data Online

City councillors are getting ready to make vital information about fires and medical emergencies available to the public. A council committee approved two motions this week to have the fire and paramedic services make data from their LiveCAD system — which tracks calls for help in real time — open for the public to see and download. Both were instructed to work with the city’s legal department to make the information available without compromising the privacy of Torontonians. One solution proposed to the committee, for example, was releasing the nearest major intersection to each incident rather than the specific address. [Source]

CA – Regina Police Posting Photos of Potential Witnesses, Suspects and Victims

Can you identify this individual? That question is written under photos of various people, usually appearing in security camera footage, posted on the Regina Police Service’s website. Most of the pictures are of men and women entering stores, walking down aisles or buying something at a cash register. A form underneath the photos allows someone to leave a confidential tip. In some photos, police have put more information about why they are seeking someone, usually because they are a suspect in a crime. But in others, no information about why police want to talk to the individual is provided. The practice began shortly after police started posting photos of individuals wanted on outstanding warrants to its website in February. When explaining the “Can You Identify” page, a separate section of the website, police stress the individuals appearing there are not necessarily suspects in a crime. Once the individual has made contact with police, their photo is taken off of the website. Walter said police have had success with the initiative, and some of the individuals have turned out to be suspects. Before beginning the practice, the RPS consulted its legal counsel through the City of Regina. The approval was given on the basis that a person in a public space does not have the expectation of privacy, and their image is not considered personal information. What police are doing is legal, but it still doesn’t sit well with the Canadian Civil Liberties Association. “It’s not clear what they were suspected of doing, or why the police are seeking them. And once the police locate them, it may turn out that these individuals are innocent. However, other members of the community could assume that someone being sought by the police is guilty of some kind of wrongdoing, and this stigma is particularly troubling given how long images can stay on the Internet,” said Berger. [Leader-Post]

CA – Federal Government Launches Consultations on Breach Notification

On March 9, 2016 the Department of Innovation, Science and Economic Development Canada released a discussion paper on the new data breach regulations being proposed to PIPEDA pursuant to the Digital Privacy Act (Bill S-4). The Ministry is accepting public submissions until May 31, 2016 on the proposed Data Breach Notification and Reporting Regulations. The discussion paper not only solicits comments, it identifies issues that may arise in respect of certain regulatory approaches. Following this consultation process, the Canadian Government will publish draft regulations for public comment and further consultation. It is unlikely that we would see breach reporting come into force in Canada before the last quarter of the year. [Source] [Industry Canada] [Discussion document] [Source]


WW – How Canadians Feel About Data and Privacy (Survey)

Concern about data privacy and security is down among consumers across the globe, but companies still have a long way to go to earn their trust, according to a new study from SAS. The analytics company conducted an online survey of more than 4,300 adults in 15 countries, including Canada. Globally, 63% of respondents said recent events like hacks and data breaches of government agencies and financial websites have heightened their concerns around sharing personal information, down from 69% in SAS’s 2014 survey. In Canada, 64% of consumers report concern about what businesses do with their personal data; 24% of respondents feel they have no control at all over what businesses do with their information, and only 13% believe they have total control. [Mobility, Vulnerability and the State of Data Privacy] [Marketing Magazine]

US – Time, Mansueto Ventures Sued for Alleged Data-Selling Practices

The ability to sell subscriber information to third parties is at the center of two separate lawsuits. Plaintiffs maintain that both Time Inc., the company behind magazines People and Sports Illustrated, and Mansueto Ventures’ data usage violated their respective states’ privacy legislation. “Unfortunately for its subscribers, Time supplements its sales and advertising revenue by secretly selling their statutorily protected information — including their full names, titles of magazines subscribed to and home addresses (collectively ‘Personal Reading Information’) — to data miners and other unrelated third party companies,” one suit reads. [NY Post]

US – Don’t Post About Me on Social Media, Say Children

Recently, university researchers asked children and parents to describe the rules they thought families should follow related to technology. In most cases, parents and children agreed — don’t text and drive; don’t be online when someone wants to talk to you. But there was one surprising rule that the children wanted that their parents mentioned far less often: Don’t post anything about me on social media without asking me. [New York Times]


CA – Canada: Federal Government Lagging on Online Services, Documents Warn

The federal government is lagging behind both private sector offerings and Canadians’ expectations in online services, internal documents warn. A full 77% of federal services still cannot be completed over the Internet. Services like passport applications, requesting access to government information, or obtaining proof of citizenship all require in-person treks to Service Canada locations or mailed application forms. A minority of services, like filing taxes or updating pension information, can be done online through government websites. In addition to raised expectations, the documents note that it takes a long time for the sprawling federal bureaucracy to implement changes in how it delivers services. [Source]

US – California Judge Reverses Court Order on Student Information Release

A federal judge tweaked her initial court order for the release of sensitive student data to a statewide parent group of special education advocates March 1, as a result of a “large number of objections” from parents who mailed in opt-out forms to the U.S. District Court in Sacramento. [The ruling] In her March 1 order, U.S. District Court Judge Kimberly Mueller noted the large number of objections to the potential release of student data received by the court following the posting of the “Notice of Disclosure of Student Records” on Feb. 1. In response, the court ordered that the CDE maintain custody of the most sensitive of its databases—the California Longitudinal Pupil Achievement Data System (CALPADS)—while running searches for information requested by the plaintiffs. The court also reiterated that no student’s personally identifiable information may be released to the plaintiffs unless and until they demonstrate to the satisfaction of the court that the method to be used to store the sensitive student data is secure, the CDE noted. The parties are still litigating the extent of the disclosure of student data. [Morgan Hill Times] See also: [Special ed court case causes stir] [Teachers union supports opt-out option]


CA – Claim that Minister Doesn’t Use Email Adds Questions About B.C. Libs Compliance With FOI Laws

The B.C. finance minister has joined a growing list of senior provincial government officials who either claim they do not use email or who have been caught routinely deleting their emails. The practice has gained prominence following freedom-of-information requests by the media and a damning report by the OIPC BC, which rebuked the Liberal government for failing to adequately create and maintain records. It also singled out specific staff for routinely “triple deleting” emails as a means of permanently destroying records. BC Premier Christy Clark responded with a public statement. “The practice of ‘triple-deleting’ will be prohibited, ministers and political staff will continue to retain sent emails and a new policy and specific training will be developed,” she said in a December 16 media release. Clark also said the government would “study and consider the establishment of duty to document”. According to his press secretary, “(Finance) Minister de Jong has the longstanding practice of requiring information such as briefing notes, decision notes, memos and other correspondence to be delivered to him through his office on paper, rather than to an email account,” it reads. “His choice not to receive information or hold conversations by email is a matter of personal preference as a way to manage and prioritize the volume of information his portfolio already entails,” the statement continues. De Jong’s aversion to the world’s most common form of interoffice communication puts him in good company among Liberal government senior staffers. On December 16, the Straight reported that the premier herself had essentially stopped using email. [Vancouver free press] [Finance Minister Mike de Jong doesn’t do email, says premier — and that’s OK with her] See also: [FOI response suggests B.C. Premier Christy Clark has basically stopped sending emails] and [NDP cites evidence of emails deleted from top government accounts, including premier’s]

CA – Former BC Staffer Charged in E-Mail Deletion Probe

A former B.C. government employee who allegedly deleted e-mails involving the Highway of Tears has been charged with two counts of willfully making false statements to mislead, or attempt to mislead, the province’s information and privacy commissioner. The B.C. Criminal Justice Branch announced the charges Friday – approximately 4 1/2 months after Commissioner Elizabeth Denham released a scathing report that said Premier Christy Clark’s government routinely thwarted freedom-of-information requests through tactics such as triple-deleting e-mails. The charges were laid under FIPPA. Mr. Gretes faces a maximum fine of $5,000 a count. [The Globe and Mail]

Electronic Records

AU – Updated eHealth Record System Still Sparks Criticism

The Australian government’s revised eHealth program, now dubbed “My Health Record,” still faces the criticism of privacy advocates. While this newer iteration of the Personally Controlled Electronic Health Record permits an opt-out function, critics like the Australian Privacy Foundation argue that the program lacked specific instructions for doing so. “There are many people who should be very careful about letting the government put lots of identifying information into a central database,” the APF said in a statement. [Computerworld] [Opt-out e-Health a ‘Fundamental Breach of Trust’: Victorian Regulator]


UK – ICO Issues Guidance on Use of Encryption

The U.K.’s Information Commissioner’s Office has released a new set of encryption guidelines, urging companies to embrace the practice before it’s too late. Although encryption practices are relatively simple, companies “often have no idea whether their data is encrypted or not,” the report states. The ICO said in a blog post that while choosing to forgo encryption isn’t illegal, “the ICO takes the view that regulatory action may follow in cases where a lack of encryption has led to a loss of data,” resulting in a high number of fines and the loss of many a company’s reputation. [ZDNet] See also: [U.K.’s Investigatory Powers Bill would mean even small startups would be required to create backdoors to their systems] and [France Clears Bill That Could Force Apple to Unlock Terror Data] [A bill under consideration in France would impose powerful new penalties for companies that do not provide access to encrypted communications in terrorism-related investigations]

UK – Snooper’s Charter Would Require Even Startups to Build in Backdoors

Should the U.K.’s Investigatory Powers Bill pass through Parliament, even small startups would be required to “bake insecurities into their systems in order to be able to hack users on demand.” And, while Apple has been able to make public the fact that the FBI wants backdoor access in the U.S., the U.K. bill would require companies to keep quiet about law enforcement requests. “They built in systems that would force companies who have more than 10,000 users — which for a startup 10 years ago used to be a hard thing, now you can quite quickly collect 10,000 users no problem — so it’s a very low threshold,” said Privacy International’s Eric King. [TechCrunch]

US – EFF on Why FBI Can’t Force Apple to Sign Code

Code is speech: critical court rulings from the early history of the Electronic Frontier Foundation held that code was a form of expressive speech, protected by the First Amendment. The EFF has just submitted an amicus brief in support of Apple in its fight against the FBI, representing 46 “technologists, researchers and cryptographers,” laying out the case that the First Amendment means that Apple can’t be forced to utter speech to the government’s command, and they especially can’t be forced to sign and endorse that speech. In a “deep dive” post, EFF’s Andrew Crocker and Jamie Williams take you through the argument, step by step. [Source]

US – Encrypted WhatsApp Messages Frustrate New Court-Ordered Wiretap

The US Department of Justice has opened another legal front in the ongoing war over easy-to-use strong encryption. Prosecutors have gone head-to-head with WhatsApp, the messaging app owned by Facebook. Citing anonymous sources, the Times reported that “as recently as this past week,” federal officials have been “discussing how to proceed in a continuing criminal investigation in which a federal judge had approved a wiretap, but investigators were stymied by WhatsApp’s encryption.” The case, which apparently does not involve terrorism, remains under seal. [The New York Times]

WW – Google Adds Worldwide HTTPS Info to Transparency Report

Google has launched a transparency report specifically to track the progress of the Internet’s encryption efforts. The aim is in support of the general push to have encryption available everywhere. Even within the Google universe HTTPS is far short of 100% of traffic. Excluding YouTube traffic, but with Gmail, Drive, Search and increasingly Blogger and advertising traffic over HTTPs, only 75% of what’s served from Google domains is currently encrypted. Google will be updating that reporting each week, the company says. The second plank of the strategy is looking at Certificate Transparency: a public search interface letting users check that a certificate is valid and is being used correctly. [The Register]

EU Developments

EU – MEPs Vote Against Passenger Name Record Vote

Members of the European Parliament voted 7 March against placing the Passenger Name Record on the plenary session agenda, citing privacy objections. “It is true that the Council has never been particularly helpful on the legislative package related to data protection,” said French Socialist Delegation President Pervenche Berès. “But the fact that PNR has still not been adopted in March 2016, after it was promised for December last year, does not give a very good impression of the EU.” MEPs rejected placing PNR on the agenda for “fear a vote on PNR may allow member states to abandon the personal data protection package they have promised as a counterweight to the new surveillance powers.” [EurActiv] See also:

[some analysts are predicting the EU-U.S. Privacy Shield will not stand up to judicial scrutiny in Europe]

EU – EDPS Releases Case Law Overview

The European data protection supervisor has released a working document covering relevant privacy and data protection case law in the EU between Dec. 1, 2014 and Dec. 31, 2015. The case law pertains to the Court of Justice of the EU, European Court of Human Rights, and national courts of member states “on the right to the protection of personal data, the right to protection of private life, access to documents, and the right to freedom of expression,” the EDPS working document states. The overview also includes pending cases and is “intended to provide factual summaries of case law.” [Source]

Facts & Stats

US – Verizon Issues Data Breach Digest Report

Verizon has released a Data Breach Digest Report, a set of 18 case studies that comprise common scenarios that the majority of breaches fall into. The incidents include a water utility at which intruders managed to manipulate water treatment processes and flow; a developer who outsourced his work to China; and pirates (the seafaring variety) who used information stolen from a shipping company’s computers to target specific containers on vessels they boarded. [eWeek] [DarkReading] [Ars Technica] [CSO Online]

US – Businesses Reluctant to Report Attacks: Report

According to a report, Cyber Security: “Underpinning the Digital Economy,” from the Institute of Directors and Barclays bank, many organizations do not report cyberattacks to law enforcement. Just 28% of cyberattacks are reported. The report also found that while most business leaders believe cybersecurity is important, just half have established plans to protect themselves from attacks. [ZDNet]

CA – 53% Have Been ID Theft or Fraud Victims: Equifax Survey

More than half of Canadians (53%) say they have been a victim of financial fraud according to an Equifax Canada survey. Additionally, new data suggests that millennials (Generation Y) are increasingly the ideal target for fraudsters and organized crime syndicates. Throughout Fraud Prevention Month in March, Equifax Canada will work with the Canadian Anti-Fraud Centre (CAFC) to educate consumers, especially millennials about the impact of fraud and how to protect themselves. The CAFC estimates that mass marketing fraud losses to businesses and citizens has grown to greater than $10 billion annually, and it’s believed that almost 80% of all fraud is committed by organized crime groups. [Source]


US – FTC Wants Details on Credit Card Audit Practices

The FTC has issued orders to nine companies to share their Payment Card Industry Data Security Standards auditing practices, the agency said in a statement. The FTC aims to measure “the state of PCI DSS assessments,” the report states. The agency further hopes to gauge “the ways assessors and companies they assess interact” and to glean “information on additional services provided by the companies, including forensic audits.” [FTC]


CA – OIPC BC Orders Disclosure of 3rd Party Pricing Info Withheld by Public Body

The BC OIPC reviewed a decision by the Capital Regional District to withhold records requested pursuant to FIPPA. Disclosure of the information would not significantly harm the competitive position of the third party; the information does not directly state hourly rates, is not sufficiently detailed to reveal the hourly rates of individual personnel, and is dated information from 2009 and of limited use to competitors. [Order F16-05 – Capital Regional District]

CA – OIPC BC Orders Elections Body to Disclose Administrative Records

This OIPC order reviewed Elections BC’s refusal to disclose records requested under BC FIPPA. The administrative records are subject to FOI legislation and must be disclosed (e.g. job descriptions and a delegation matrix indicating who the Chief Electoral Officer has chosen to assist with his various functions); operational records do not fall under the legislation and may be withheld (e.g. an event plan that relates to the CEO’s planning of electoral processes, and memorandums of understanding related to the exercise of the CEO’s powers in relation to the prosecution of electoral offences). [Order F16-07 – Elections BC]

CA – OIPC SK Partially Upholds the Decision to Withhold Certain Records

The Saskatchewan OIPC reviews the decision of the Saskatchewan Arts Board’s to withhold records requested pursuant to The Freedom of Information and Protection of Privacy Act. The Board withheld records containing third party information which qualifies as advice, proposals, recommendations, analyses or policy options (such as, the analysis of and recommendations for issues faced by the Board, reports prepared for the Board which included advice and recommendations) that would be part of the Board’s responsibility and were prepared for the purpose of taking action or making a decision. [Review Report 154-2015 – Saskatchewan Arts Board]

Average Breach Falls Below Cyber Insurance Policy Deductible, Study Shows

An Advisen study, commissioned by ID Experts, found that the cost of the average data breach is less than most cyber insurance policies’ deductibles. “Most data breaches are small — consisting of fewer than 500 records lost,” the report states. “But most cyber insurance policies are set up to protect against large data breaches, with 90% of respondents having a deductible that is greater than $10,000.” As a result, more than 70% of those surveyed employ internal resources to clean up these smaller incidents. “There’s a lot of misconceptions around cybersecurity insurance — what it does, what it could do. It’s not for everyday occurrences.” [DarkReading]

CA – Commercial Liability Policies Likely Do Not Protect Companies from Data Breach Costs

A law firms examines why Commercial General Liability (CGL) policies may not protect companies in the event of a breach. The standard CGL policy usually requires “compensatory damages” to have been incurred, but the tort of breach of privacy does not require proof of damages; breach notification often requires legal assistance, which is not covered. U.S. case law suggests that CGL coverage for privacy-invasive “publication” does not apply to publication by third parties (e.g. hackers). [Breach: How New Types of Privacy Claims are Changing the Litigation Landscape – Daniel Reid, Associate, Harper Grey, Insurance Brokers Association of BC]


UK – Police Hold DNA Profiles of 7,800 Terrorism Suspects

A police counter-terrorism database contains the DNA profiles and fingerprints of more than 7,800 identified individuals, an official government watchdog has revealed. The figure revealed by the biometrics commissioner, Alastair MacGregor QC, in his annual report last week, is far higher than any previous indications of the number of suspected terrorists in Britain. The commissioner reveals that the number of individuals whose DNA profiles and fingerprints are being logged on the little-known database as a result of counter-terrorism investigations is growing rapidly, having risen from 6,500 identified individuals in October 2013. The watchdog also reports that errors and delays in an official drive to delete the biometric records of those who have never been convicted of an offence – which account for 55% or 4,350 of those on the counter-terrorism database – have led to the destruction of a significant number of biometric records of terrorism suspects that should have been kept on national security grounds. In his second annual report, MacGregor says 1.7m DNA profiles and 1.6m sets of fingerprints have been deleted from the police national DNA database since the home secretary, Theresa May, introduced legislation in 2012 requiring the removal of details of those who have never been convicted of a criminal offence. He says the fact that the national DNA database still holds the biometric details of 12.5% of all men and 3% of all women in Britain and has not had any “demonstrably adverse impact” on its effectiveness; indeed, if anything, its overall “match” rate with DNA evidence found at crime scenes has gone up. But the commissioner raises serious concerns about the standalone national counter-terrorism police database. It has been quietly built up under powers in the Terrorism Act 2000 by collating DNA profiles and fingerprints gathered from searches, arrests and crime scenes during counter-terrorism investigations. MacGregor says he decided to publish the number of individuals on the counter-terrorism database after it was suggested to him in 2014 that to do so would be contrary to the interests of national security. He says he was “not wholly persuaded” by the argument and this year he sought and obtained agreement to disclose the number. [The Guardian]

Health / Medical

CA – Ont. Court Docs in Assisted Death Cannot Be Named by Press

An Ontario judge agreed to ban media from reporting the names of doctors for a Toronto man seeking assisted death, arguing that anonymity is needed to ensure health workers keep helping out in such cases. The ruling by Justice Thomas McEwen of the Ontario Superior Court also prohibits identifying the cancer patient and his family, citing the “intensely private and personal matter of his death.” A lawyer representing the National Post and other news media had objected to the scope of the ban requested by the 80-year-old man, saying it was important to make public the physicians’ names, partly to help identify any doctors who might “rubber-stamp” assisted-death requests. But the physicians and other health workers had asked to remain anonymous and they were justified in doing so, said Justice McEwen. “Their wish and concerns are entirely reasonable, in my opinion, given the publicity and controversy surrounding physician-assisted death,” said his 10-page decision. “This is a public interest of great importance … There may be a serious risk (with naming names) of impairing access to physicians willing to assist.” The judge also ruled the patient’s lawyer could edit out the required information from the court file before making it available to the media or their lawyers. [Source]

US – Study: Health Apps Pose Major Privacy Concerns

An Illinois Institute of Technology Chicago-Kent College of Law study of Android mobile apps for diabetes management found privacy practices wanting. “Many health apps transmit sensitive medical information, such as disease status and medication compliance, to third parties, including aggregators and advertising networks,” the report states. More than 80% of the apps had no privacy policies. An undefined legal landscape encourages these behaviors, the researchers argue. “Patients might mistakenly believe that health information entered into an app is private (particularly if the app has a privacy policy), but that generally is not the case,” they said. [CBS News]

EU – Estonian Citizens to Have World’s Most Hack-Proof Health-Care Records

Estonia is moving its citizens’ health records to a database, based on blockchain technology, that nobody can mess with. While financial institutions rave about the potential for blockchain—the technology that powers bitcoin—as a way to revolutionize the financial world, it can also help keep private data secure. A blockchain is essentially a digital ledger that, thanks to some computational tricks, records every change made to it indelibly. This means it can act as a database for health data. Whenever someone’s health records are accessed, that “event” is recorded on the blockchain, alongside what information was changed or added. That way, the information remains both secure and tamper-proof; nobody can change it without leaving traces. Eventually, there will be a dashboard for the public to see their own health records and any changes made to them. [Estonia using Blockchain to secure health records] [Estonian citizens will soon have the world’s most hack-proof health-care records] [Guardtime secures over a million Estonian healthcare records on the blockchain]

US – Senator Asks Privacy Regulators to Stop Abuse of Nursing Home Residents on Social Media

After a December 2015 ProPublica report documented more than 35 incidents involving employees at assisted living homes sharing photos of residents on social media, U.S. Sen. Tom Carper, D-Del., wrote the Department of Health and Human Services’ Office for Civil Rights asking what it’s doing to curb these instances. Of the photos, which often depict naked, ill residents, Carper said in a statement, “This type of abuse is unacceptable and falls short of our moral obligation to the ‘least of these’ in our society.” The OCR’s Deven McGraw said the office would reply to Carper’s inquiries. [ProPublica] See also: [Newfoundland health worker fired for privacy breach involving 25 patients]

Identity Issues

EU – EMA Published Guidance on De-Identification of Clinical Reports

The European Medicines Agency (EMA) has published guidance on the anonymization of clinical reports according to EMA policy on publication of clinical data for medicinal products for human use (EMA/240810/2013). Under the European Medicines Agency Policy 0070 for medicinal products for human use, manufacturers are required to submit anonymized versions of clinical reports to the agency, as well as a risk analysis report documenting how the risk of re-identification is considered sufficiently small. The specificities of the clinical data should be taken into consideration when selecting the most appropriate anonymisation technique (e.g. masking, randomisation or generalisation); a data controller must continuously follow development in re-identification techniques and, if necessary, reassess the risk of re-identification. These documents will then be made publicly available under two different data sharing mechanisms. Many manufacturers are now trying to figure out how to meet these requirements for their new submissions. [Source] [Webinar by Privacy Analytics – March 31, 2016). [European Medicines Agency – External Guidance on the Implementation of the European Medicines Agency Policy on the Publication of Clinical Data for Medicinal Products for Human Use]

Internet / WWW

UK – New Guide to Help Build Child Safety into Platforms

The U.K. Department for Culture Media & Sport has released a new guide designed to help organizations ingrain online child safety into Web and mobile businesses. The guide, Child Safety Online: A Practical Guide for Providers of Social Media and Interactive Services, uses the six principles of the ICT Coalition for Children Online safety framework, a European industry initiative to make online platforms safer for younger users. The principles include content; parental controls; dealing with abuse/misuse; child abuse or illegal contact; privacy and controls; and education and awareness. [Source]

Law Enforcement

CA – Vancouver Police Investigates Leak About Visiting Photographers

The Vancouver Police Department claims it is still investigating how a local website obtained an internal police bulletin and photographs of three men who were wanted for questioning after they were seen taking photographs at Pacific Centre Mall last January. “As this matter remains under investigation by the Vancouver Police, we are relying on section 15 of the Freedom of Information and Protection of Privacy Act to withhold records related to this issue.” Section 15 of the act consists of a number of provisions that allow government organizations to refuse to release information if doing so would be “harmful to law enforcement”. The Straight filed the requests in question after the local website published photographs that the website later said it had obtained from an internal police bulletin it had received from a member of the VPD. The original post published on January 14 included photographs of the three men wanted for questioning and quoted the VPD internal bulletin describing them as “men who look Middle Eastern”. The following morning, VPD chief Adam Palmer said the force was never planning to go public with a warning about the men. He explained the VPD only responded with information intended for the public after an internal report was leaked to media. The VPD subsequently released a statement that cleared all three men of any wrongdoing. [Source]

US – Use of Stingrays Violates Fourth Amendment: Court

The Maryland Court of Special Appeals upheld a historic decision by a state trial court that the warrantless use of cell-site simulators, or Stingrays, violates the Fourth Amendment. The trial had suppressed evidence obtained by the warrantless use of a Stingray – the first time any court in the nation had done so. Last April, a Baltimore police detective testified that the department has used Stingrays 4,300 times since 2007, usually without notifying judges or defendants. Stingrays mimic cellphone towers, tricking nearby phones into connecting and revealing users’ locations. Stingrays sweep up data on every phone nearby — collecting information on dozens or potentially hundreds of people. The ruling has the potential to set a strong precedent about warrantless location tracking. [Slashdot]

CA – Surveillance Device Used In Prison Sets Off Police Probe

Federal prison authorities are under criminal investigation for possible illegal surveillance. The probe centres on Correctional Service Canada’s use of a dragnet surveillance device inside a penitentiary. Fallout from the 2015 surveillance incident, involving a device that CSC officials called a “cellular grabber,” has led to a lawsuit from jail guards and a criminal inquiry by the Ontario Provincial Police. [Source]

CA – RCMP Fight to Keep Lid on High-Tech Investigation Tool

Police in Canada are fighting to keep secret the specifics of advanced technology they’ve used to spy on mobile phones in a criminal investigation into organized crime. Court documents filed in the Quebec Court of Appeal show government lawyers have acknowledged that the RCMP used an extraordinary communications-interception technique involving “mobile device identifier” equipment. But the Crown will be fighting to keep details of the operation under wraps during a court hearing scheduled for March 30 in Montreal. Chris Parsons, a researcher with the Citizen Lab at the University of Toronto’s Munk School, said this case “wouldn’t be the first time [these devices] have been used – but it would be the first time [authorities] have been caught out in court.” The public is bound to want to know more, Mr. Parsons said. “These are fundamentally devices of mass surveillance,” he said. [Source]

AU – Fears Policing Databases Will Be Exempt from Privacy Laws

National policing databases for firearms, domestic violence and child offenders will no longer be overseen by Australia’s privacy watchdog and could be exempt entirely from privacy laws if they are handed over to the Australian Crime Commission under proposed laws. The information commissioner, Timothy Pilgrim, has warned in a Senate inquiry submission that if a proposed bill to merge Crimtrac’s functions into the Australian Crime Commission is passed the data held by CrimTrac will no longer be subject to Australia’s privacy laws. The federal government has put forward bills that would see the secretive Australian Crime Commission, which has the power to conduct coercive interviews, essentially take over the functions of CrimTrac and other agencies. CrimTrac is the national policing organisation that holds major databases surrounding firearms, domestic violence, child offenders and missing persons. It also assists in the collection of biometric data for the immigration department. As a result it holds large quantities of personal information on millions of Australians. The agency will continue to be overseen by the commonwealth ombudsman and the Australian Commission for Law Enforcement and Integrity. But Pilgrim said the “scope of that oversight differs” from the specific privacy related oversight of the Office of the Australian Information Commissioner. [The Guardian]


UK – Unmasking Banksy: Did ‘Predictive Policing’ Tool Catch An Artist?

A geographic profiling tool, developed to find serial criminals and terrorists, may have helped unmask the mystery identity of Banksy. Researchers say they have identified the elusive artist – creator of million-dollar works of political graffiti – as Robin Gunningham, supporting a theory published by Daily Mail in 2008. Scientists at Queen Mary University of London used a statistical tool to map 140 locations of Banksy’s works around Bristol and London and compare them to the homes of possible candidates, they wrote in the Journal of Spatial Science. That led them to Mr. Gunningham. This mathematical method of analysis, known as criminal and geographic profiling, is often used by law enforcement to identify serial criminals. The idea behind the technique is that people tend to commit crimes close to where they live. The technique has also been used to trace breeding sites for malaria outbreaks or to locate the roosts of wild bats, and the researchers suggested that what helped find one graffiti artist could also help locate terrorists. “More broadly, these results support previous suggestions that analysis of minor terrorism-related acts (e.g., graffiti) could be used to help locate terrorist bases before more serious incidents occur,” they wrote in their abstract. Not everyone accepts that geographical profiling can accurately pinpoint perpetrators, though it’s used by several US police departments. Data-fueled analytics also called “predictive policing,” has drawn considerable critics, arguing that the method is discriminatory and often targets minorities. “What data are they using? How are they weighing variables? What values and biases are coded into them? writes the Guardian. “Even the companies that develop them can’t answer all those questions, and what they do know can’t be divulged because of trade secrets.” “Police departments are opening the way for corporations to have disproportionate influence over what policing means in society. Technologies are not just neutral tools, and they are not divorced from politics; they are designed with certain values and goals in mind.” [Source] See also: [The Crime You Have Not Yet Committed]

Online Privacy

WW – Researchers Translate Privacy Policies into Layman’s Terms

A team of Stanford University, Carnegie Mellon University and Fordham University researchers — during a two-year span — simplified more than 20,000 privacy policies from nearly 200 websites into a more approachable and user-friendly form for their Usable Privacy Project . “Our objective is to produce succinct yet informative summaries that can be included in browser plug-ins or interactively conveyed to users by privacy assistants that inform users about salient privacy practices,” said Carnegie Mellon’s “principal investigator.” [SC Magazine]

WW – Google Agrees to Delist Links More Broadly For RTBF Compliance

Google will begin delisting links more broadly in order to better align with data protection authorities’ interpretation of the EU’s right-to-be forgotten mandate. Previously, the company said it wasn’t responsible for delisting links from and other non-EU search domains. Now, it will use geolocation data to “restrict access to delisted URLs on all Google search domains accessible from the country of the person making the delisting request,” the report states. Google Global Privacy Counsel Peter Fleischer said that, since the European Court’s ruling, the company has worked hard to find the right implementation balance. “Despite occasional disagreements, we’ve maintained a collaborative dialogue with data protection authorities throughout. We’re committed to continuing to work in this way,” he said. According to Fleischer, Google will apply its new policy retrospectively to all search results it has already delisted following RTBF requests. Google’s Transparency Report shows that the company so far has evaluated more than 1.4 million URLs for removal in response to nearly 399,000 RTBF requests. It has delisted about 43% of the links so far while leaving the remaining 57% in place. [eWEEK]

CA – Controversial Calgary-based App Peeple Launches

Curious about your kid’s soccer coach? Wondering what others think of that guy who asked you out? There’s an app for that. Sort of. The Calgary-conceived app Peeple, announced to a firestorm of controversy late last year, is finally launching Monday after retooling a number of features. Peeple will let users rate each other in three areas: personal, professional, and romantic. In a change from the original concept, reviews are only posted with the consent of the person being reviewed — that is, the service is opt-in and a user can hide their negative reviews. But a planned future paid subscription Cordray called the “truth license” — not available for Monday’s launch — will let users see all reviews, even hidden ones. [Calgary Herald] See also: [Fortney: Peeple app creator stands firm, in a bathroom] [and [‘You can’t possibly be that naive’: Dr. Phil delivers a folksy smackdown on Peeple app co-founder]

UK – ‘HAT’ trick: Service Allows Users to See and Trade Their Data

The Hub of all Things is a new service designed by U.K. researchers and aims to be the one-stop-shop for Internet users wanting to control who accesses their data and for how long. It’s a virtual personal data “store,” which allows users to see the data corporations store about them, then trade it, thus reaping the benefit of its value. Designers have launched an Indiegogo campaign to “mobilize a social movement to put the power of the Internet back into individual hands,” the report states. IOT data has “enormous value,” said HATDEX CEO Paul Tasker. “We believe that if all of us have our own HATs, we will have more power in the future to influence how our data is collected, stored and used; hugely benefitting ourselves and society whilst providing new opportunities to firms wanting to sell to us.” [ZDNet]

Other Jurisdictions

NZ – Privacy Commissioner Overwhelmed As Digital Generation Overshares

During a New South Wales parliamentary oversight committee meeting last week, Australian Privacy Commissioner Elizabeth Coombs argued to an oversight committee last week that expanding her role from part time to full time while increasing her office’s resources are necessary to expand the agency’s influence. “So much sharing of data was increasing the demand for her work,” the report states. It’s now “apparent that the digital generation cares about its privacy,” and as such Coombs “has welcomed the call for a significant expansion of her powers.” [The Sydney Morning Herald]

NZ – NSW Parliamentary Committee Backs New Privacy Laws for Individuals

The New South Wales Parliament’s Standing Committee on Law and Justice has announced its support of new legislation that would provide legal redress for individuals after a privacy breach. The laws would “fill gaps” left by the Commonwealth Privacy Act, as the legislation currently only applies to information and not small businesses or individuals, the report states. “The NSW committee has called on the state government to take a lead in the implementation of individualised privacy rules, in the face of ‘a lack of political will federally’ to put in place uniform national legislation,” the report continued. [iTnews]

NZ – NSW Pawnbrokers Association Criticizes MAC Address Requirement

New state laws require pawnbrokers to collect and store the MAC addresses of any Wi-Fi enabled tools that come through their stores. While police argue it will help track stolen devices, the NSW Pawnbrokers Association believes the requirements have “workability” and privacy problems, the report states. Customers are “averse to giving us that information if they don’t have to because they don’t want us to have access in that privacy sense,” said the association’s spokesman. “Some people don’t care — the computer is just a toy or a novelty item, but for others it’s a serious business tool … and they just don’t want people having unfettered access to that information.” [iTnews]

Privacy (US)

US – Apple Tells Judge that US Gov’t is Well-Meaning but Wrong in Privacy Fight

Apple filed its final court brief in the San Bernardino iPhone case. Apple softened its rhetoric against the Justice Department, which has been heated on both sides of the debate in the last few weeks. The 26-page brief is the last court filing by either side until they meet in court March 22. “The government’s motivations are understandable,” Apple wrote in its latest filing, “but its methods for achieving its objectives are contrary to the rule of law, the democratic process, and the rights of the American people.” According to the report, the Department of Justice said Apple was attempting to usurp power from the federal government, adding, “The Constitution and the laws of the United States do not vest that power in a single corporation.” [the Guardian]

US – Verizon Wireless to Pay $1.35 Million Fine to Settle U.S. Privacy Probe

Verizon will pay a $1.35 million fine and agreed to a three-year consent decree after the FCC said it found the company’s wireless unit violated the privacy of its users. Verizon Wireless agreed to get consumer consent before sending data about “supercookies” from its more than 100 million users, under a settlement. The largest U.S. mobile company inserted unique tracking codes in its users traffic for advertising purposes. Supercookies are unique, undeletable identifiers inserted into web traffic to identify customers in order to deliver targeted ads from Verizon and others. The FCC said Verizon Wireless failed to disclose the practice from late 2012 until 2014, violating a 2010 FCC regulation on Internet transparency. The FCC also said the supercookies overrode consumers privacy practices they had set on web browsers, which led some advocates to call it a “zombie cookie.” Under the agreement, consumers must opt in to allow their information to be shared outside Verizon Wireless, and have the right to “opt out” of sharing information with Verizon. Until March 2015, Verizon Wireless consumers could not opt out of the “supercookies,” but after several U.S. senators raised concerns about the practice, the company agreed to allow an opt-out. [Source]

WW – PWC Releases 2015 Enforcement Guide

PricewaterhouseCoopers has released its Privacy and Security Enforcement Tracker 2015. The second-annual guide aims to reflect on the past year’s most significant regulatory movements in the U.K. and across the globe. “If 2014 sounded an alarm to encourage the controllers and users of networks, computer and communications systems and [personnel] to review and improve their practices for privacy and security, then 2015 was the year when the final alarm was sounded,” the guide states. “The message of 2015 is clear: Entities that fail to take voluntary action to remedy bad practices will be forced to change.” [Source]

US – Erin Andrews Awarded $55M for Privacy Invasion

Sports reporter Erin Andrews was awarded $55 million in an invasion of privacy lawsuit. In 2008, a stalker had surreptitiously recorded the well-known reporter while she was getting dressed in her hotel room, thanks to knowledge supplied by the hotel. Though she had asked for $75 million in the lawsuit, the jury was clearly sending a message, recognizing a very real and lasting privacy harm. [Privacy Perspectives]

US – Drone Regulation Faces Committee Approval

The Senate Committee on Commerce, Science, and Transportation looks to approve legislation that would place drone regulation under the Federal Aviation Administration’s control. “Its key provisions would facilitate specific drone tests with set deadlines for progress reports and ensure that the FAA is involved at every step,” the report states. The bipartisan bill pleases drone industry representatives. “These policies will accelerate the safe use of commercial [unmanned aircraft systems] as well as expand collaborative research and operational efforts,” said the Association of Unmanned Vehicle Systems International’s Brian Wynne. “We urge the Senate to pass this bill quickly, as delaying this measure risks stunting a still-nascent industry and restricting many of the beneficial ways that businesses could use UAS technology.” [Morning Consult] See also: the smattering of state drone laws may conflict in with the drone policies of the Federal Aviation Administration


US – Weak Online Banking Password Policies

An investigation revealed that out of these 17 major banks six of them have a significant weakness in their password policy – they ignore case-sensitivity. In total, this security weakness may impact more than 350 million customers nationally. The researchers attempted to contact the banks to inform them about this issue and tried to ask for a statement why they decided to pursue a weak password policy. It turned out that it is almost impossible to contact and notify them about a security issue. When contacted via telephone hotline, most representatives were only trained for everyday business activities. e.g.:

  • 1 org was adamant that they have a case-sensitive password policy, but testing showed otherwise
  • 1 org was not even aware of the existence of a security / IT-department
  • 1 org simply said that this is their policy without any further statement or explanation [Source]

CA – KPMG Report Identified Five Key Cybersecurity Trends

Increased risks of ransomware and extortion-driven attacks as well as the rise of the Internet of Things (IoT) are challenging Canadian organizations in new ways, according to a recent report from audit, tax and advisory services firm KPMG LLP, who have identified five key cybersecurity trends impacting Canadian businesses in its Cyber Watch Report, released last week. These security risks are putting heightened pressure on organizations to protect, detect and respond to new adversaries and threat tactics, while preserving their trust and reputation with customers. [Daily News]

US – University of California Breach Monitoring System Creates Controversy

After a 2015 cyberattack, University of California President and former Secretary of Homeland Security Janet Napolitano secretly ordered a data monitoring security system installed on all state campuses, a move that, when recently exposed, has started a statewide debate. The system “monitors Internet traffic [and] it also stores it for at least 30 days. The idea is to allow security personnel to go back through the traffic to look for breaches.” Both the monitoring system and the secretiveness surrounding it have sparked ire among students and faculty. “The very substance of higher learning really would not be possible unless the faculty and students have some guarantee of confidentiality,” said the American Association of State Colleges and Universities. [NPR]

WW – Windows 10 Will Add APT Protection

At the RSA conference in San Francisco, Microsoft revealed that it would be adding protection against advanced persistent threats (APTs) to Windows 10. The service, Windows Defender Advanced Threat Protection, detects anomalous system activity. It is currently in private beta on about 500,000 systems. [NextGov] [ArsTechnica]


US – FBI Quietly Changes Privacy Rules for Accessing NSA Data

The FBI has quietly revised its privacy rules for searching data involving Americans’ international communications that was collected by the NSA, US officials have confirmed. The classified revisions were accepted by the secret US court that governs surveillance, during its annual recertification of the agencies’ broad surveillance powers. The new rules affect a set of powers colloquially known as Section 702, the portion of the law that authorizes the NSA’s sweeping “Prism” program to collect internet data. Section 702 falls under the Foreign Intelligence Surveillance Act (FISA), and is a provision set to expire later this year. A government civil liberties watchdog, the Privacy and Civil Liberties Oversight Group (PCLOB), alluded to the change in its recent overview of ongoing surveillance practices. The watchdog confirmed in a 2014 report that the FBI is allowed direct access to the NSA’s massive collections of international emails, texts and phone calls – which often include Americans on one end of the conversation. The activists also expressed concern that the FBI’s “minimization” rules, for removing or limiting sensitive data that could identify Americans, did not reflect the bureau’s easy access to the NSA’s collected international communications. FBI officials can search through the data, using Americans’ identifying information, for what PCLOB called “routine” queries unrelated to national security. The oversight group recommended more safeguards around “the FBI’s use and dissemination of Section 702 data in connection with non-foreign intelligence criminal matters”. As of 2014, the FBI was not even required to make note of when it searched the metadata, which includes the “to” or “from” lines of an email. Nor does it record how many of its data searches involve Americans’ identifying details – a practice that apparently continued through 2015, based on documents released last February. The PCLOB called such searches “substantial”, since the FBI keeps NSA-collected data with the information it acquires through more traditional means, such as individualized warrants. But the PCLOB’s new compliance report, released last month, found that the administration has submitted “revised FBI minimization procedures“ that address at least some of the group’s concerns about “many” FBI agents who use NSA-gathered data. “Changes have been implemented based on PCLOB recommendations, but we cannot comment further due to classification,” said Christopher Allen, a spokesman for the FBI. [The Guardian]

US – Court Approves $9 Million Class Action Settlement to Resolve Allegations of Unauthorized Installation of Tracking Software on Mobile Devices

The Court approved a class action settlement resolving allegations that multiple smartphone and tablet makers installed wiretapping software on their devices. Defendants are the following mobile device manufacturers: HTC; Huawei, LG Electronics, Motorola; Pantech, and Samsung. Net proceeds of the settlement will be awarded equally to class members (after payment of service awards, attorneys’ fees, costs and expense, taxes, and the costs of notice and administration of the settlement); a website must be established to provide class members with notice of the material terms of the settlement, procedures to receive benefits or exclude themselves, and how to provide comments about the settlement. [In Re Carrier IQ Inc. Consumer Privacy Litigation – US District Court Northern District of California – Case No. C-12-md-2330-EMC]

Telecom / TV

US – FCC Proposes New Privacy Rules for ISPs

Federal Communications Commission Chairman Tom Wheeler announced the agency’s highly anticipated proposal for new privacy rules for Internet service providers Thursday. Though the agency did not release the actual proposal, Wheeler described the main points of it — which centered around choice, security and transparency — and offered a three-page fact sheet. Not everyone supports this big move by the agency, however. [Source] See also: [How the FCC’s Privacy Proposal Could Affect More Than ISPs] [U.S. FCC Internet privacy proposal could harm broadband providers – Moody’s] [Wheeler: ‘Customers ought to have a say’]

US Government Programs

US – DHS Cyber Threat Sharing Program Review Shows Privacy Risks

A Department of Homeland Security review has revealed that an information-sharing program required under the Cybersecurity Information Sharing Act, passed in December, has privacy protection issues. According to the DHS report, safeguards put in place to prevent personally identifiable information may not be working. There is “residual privacy risk that these processes may not always identify and remove unrelated [personal information], thereby disseminating more [information] than is directly related to the cybersecurity threat,” DHS wrote. Under CISA, any PII shared through the program must be directly related to a cybersecurity threat, the report states. [Source]

US Legislation

US – Colorado May Ease Student Health Privacy Rules in Response to Shootings

A bipartisan Colorado bill aims to grant private therapists and counselors more legal latitude to communicate with school officials when a patient’s behavior could result in “a dangerous environment in a school,” a move that has some mental health workers concerned about its privacy impact. While the bill emphasizes the confidentiality of disclosure practices, some argue it might not be enough. “The main concern is that confidentiality is the backbone of successful therapy and treatment,” argued Mental Health America of Colorado’s Moe Keller, also a former legislator. “You have to be able to trust the person you’re talking to.” The bill passed in the state’s House of Representatives and is posed for a Senate vote. [The Wall Street Journal]

Workplace Privacy

EU – Netherlands: Companies Should Not Track Workers Through Wearables

Dutch Companies may not use wearables to monitor the health of their employees, even if the employees permission controls. This is in breach of the Data Protection Act. That the Authority Personal (AP) determined after investigation of two companies that used wearables to gain insight into the amount of movement of workers. One of the two employers also had insight into the sleep pattern of the employees. The employees of the companies were free to decide whether or not to participate in the experiment. According to the AP, there is an employment relationship, however, no question of free consent, because the employee financially dependent on the company. [Source] [(Original – in Dutch] [Google translation]

US – Approved Bill Deals with Internet Privacy At Work

A bill preventing employers from accessing their employees’ social media accounts passed the legislature on the final day of the 60-day regular session. Del. Stephen Skinner (D-Jefferson) sponsored the Internet Privacy Protection Act (HB 4364) to establish guidelines when it comes to employees’ online privacy. The legislation would prevent employers from obtaining social media passwords from their employees and also help employers, according to Skinner. There are currently no federal laws in place regarding social media privacy at work, Skinner said. [Source]




01-07 March 2016


CA – OIPC SK Finds Health Authority Allowed Technologists to Work Under Each Other’s Log-Ins

The Saskatchewan Information and Privacy Commissioner investigated a breach at the Saskatoon Regional Health Authority. It took 3-5 minutes for technologists to log-in and out of the system between patients which was too time-consuming; a number of solutions are being explored including providing each user with their own workstations (this would be very expensive and there is limited physical space), going paperless (there is still heavy reliance on paper requisitions and communications that require scanning), and having an assistant do all the scanning (this could compromise patient safety). [OIPC SK – Investigation Report 176-2015 – Saskatoon Regional Health Authority] See also: [Regina Leader: Saskatchewan Patient Access to Online Health Records Requires Big Focus on Security]

CA – OPC NS Outlines Privacy Rights for Government Info Sharing Initiatives

The Nova Scotia Information and Privacy Commissioner has released guidance on privacy rights in information sharing initiatives. Government entities should be open and transparent about how information sharing initiatives will be implemented, share the least amount of information needed to satisfy the goals of the initiative, and be accountable by implementing initiatives that establish and follow policies and procedures, risk assessment tools, formal agreements and contracts, and privacy breach reporting protocols. [OIPC NS – Protecting and Promoting Canadians Privacy and Access Rights in Information Sharing Initiatives] See also: Privacy Commissioner of Canada Daniel Therrien addressed the Senate and detailed his privacy goals in a keynote posted on the OPC’s site.


WW – Billboards Can Track Your Location; Privacy Advocates Hate It

The next time you see a billboard on the side of the road, it may also be scanning you. A geolocation-tracking feature on billboards owned by Clear Channel Outdoor gives the company new ways to target advertising and measure its effectiveness. The service has caught the eye of privacy advocates, who worry that the so-called Radar tracker will be able to collect massive amounts of information from smartphones in cars driving past. Radar will collect mobile data from three Clear Channel partners, including AT&T. Clear Channel Outdoor receives aggregated and anonymous data from its partners, not personal information, said the VP of corporate communications at the company. The company launched the service in 11 markets earlier this week. [Source] See also: [Hey, Siri and Alexa: Let’s talk privacy practices]

Electronic Records

US – Healthcare Organizations Commit to Improve EHR Information Sharing

Several of the nation’s largest players in the private sector have committed to an initiative to improve the ability of providers and patients to share and use information in electronic health records. The effort has gained support from some of the nation’s largest developers of electronic health records systems, representing 90% of the health records used by U.S. hospitals, said the secretary of the Department of Health and Human Services . And the five largest private provider systems in the country are among a group of 16 hospital and health systems that have also indicated support for the initiative. Several large industry professional organizations—including the American Medical Association, the American Health Information Management Association, HIMSS and the College of Healthcare Information Management Executives—were quick to add support for the movement. The vendors and providers have agreed to implement three core commitments: Consumer access: To help consumers easily and securely access their electronic health information, direct it to any desired location, learn how their information can be shared and used, and be assured that this information will be effectively and safely used to benefit their health and that of their community. No information blocking: To help providers share individuals’ health information for care with other providers and their patients whenever permitted by law, and not block electronic health information (defined as knowingly and unreasonably interfering with information sharing). Standards: Implement federally recognized, national interoperability standards, policies, guidance, and practices for electronic health information and adopt best practices including those related to privacy and security. [Information Management]


US – Why N.Y. judge’s All Writs Act Decision Is Huge Win for Apple

U.S. Magistrate Judge James Orenstein of Brooklyn does not have the power to bind other courts. The 50-page opinion he issued this week, denying the Justice Department’s application for an order under the All Writs Act to compel Apple to help the government unlock the phone of a convicted drug dealer, will not end the California federal-court showdown between Apple and the Justice Department over an iPhone belonging to San Bernardino shooter Syed Farook. Judge Orenstein’s decision isn’t even the last word in the Brooklyn case – the Justice Department said that it will ask for the order to be overturned by a district court judge. But Orenstein’s opinion is a milestone in the ongoing debate over privacy and national security. He is the first federal judge to analyze the reach of the All Writs Act in the age of the smartphone, yet he roots his discussion not in technological terms but in fundamental U.S. constitutional principles. Orenstein’s conclusions do not rely on the specific facts of the case before him or on the particulars of the operating system at issue. They are based on his reading of constitutional and Congressional history, providing broad context for his assertion of government overreaching. Judges considering contested All Writs Act requests in other courts may differ with Orenstein but they ought not ignore him. [Source] [Apple and FBI testify in hearing on locked iPhone: What we learned] [Apple’s Tim Cook defends privacy at shareholder meeting]

EU Developments

EU – EU-US Officials Release Privacy Shield Details

The European Commission and U.S. Department of Commerce have released details about the highly anticipated EU-U.S. Privacy Shield arrangement this week. The 132-page Privacy Shield Package includes a set of “Privacy Shield Principles,” two annexes, and letters from the International Trade Administration, U.S. Federal Trade Commission, U.S. Department of Transportation, the U.S. Director of National Intelligence, U.S. Department of State, and the U.S. Department of Justice. The proposed data transfer agreement is being met with criticism from privacy advocates, leaving US companies in limbo regarding the handling of EU citizens’ data. Privacy Shield was created as a replacement for the Safe Harbor Agreement, which the European Court of Justice nullified last October. Privacy Shield now faces scrutiny of EU regulators. [Ars Technica] [The Hill] [ComputerWorld] [Fortune] [The Privacy Advisor]

EU – WP29 Issues Statement on Privacy Shield

The group of EU data protection authorities — the Article 29 Working Party — issued a statement this week in response to the newly published details of the proposed EU-U.S. Privacy Shield arrangement. The group says it “welcomes the publication of the draft ‘adequacy decision’ of the European Commission” and the corresponding texts comprising the arrangement. It also said it will “analyze the safeguards” both in terms of the commercial and national security aspects and will finalize a draft opinion at its next plenary meeting on April 12 and 13. Meanwhile, reaction to the 132-page package is underway, including from Schleswig-Holstein DPA Marit Hansen. [Source]

UK – Techs, Privacy Wonks & Politicos Blast Investigatory Powers Bill

A tweaked version of the Investigatory Powers Bill—which seeks to augment surveillance of Brits’ online activity—landed with a thud in parliament this week, as privacy groups, the tech world, and politicians lined up to attack home secretary Theresa May’s proposed law. Time and time again, the word “disappointment” was bandied around by companies, organisations, and individuals that will be directly affected by the planned legislation. Many critics expressed anger about May’s dismissive response to the key recommendations laid out in three separate parliamentary reports about the Snoopers’ Charter, as it is colloquially known. [Ars Technica] [Everything you need to know about the redrafted IP Bill] [According to opinion polls voters don’t mind mass surveillance] [UK: Surveillance law: Revised bill to add privacy safeguards] [The UK government has been hacking for years—and now it’s legal]

EU – Facebook Hit With German Antitrust Investigation Over User Terms

Germany’s Federal Cartel Office will begin an investigation on Facebook’s data collection and advertising agreements. The unclear terms create “an abusive imposition of unfair conditions on users,” the Bundeskartellamt argued in a statement. “There is considerable doubt as to the admissibility of this procedure, in particular under applicable national data protection law,” the statement continued. “If there is a connection between such an infringement and market dominance, this could also constitute an abusive practice under competition law.” Facebook disagrees. “We are confident that we comply with the law and we look forward to working with the Federal Cartel Office to answer their questions.” [Fortune]

EU – German Privacy Watchdog Plans to Fine US Companies

Hamburg (Germany) Data Protection Authority (DPA) plans to fine three US companies for mishandling EU citizens’ data. The companies were following the Safe Harbor agreement that an EU court nullified last fall. Because there is not a firm new agreement in place, companies that are transferring data are breaking the law. Two other companies are reportedly under investigation. [Fortune] See also: Germany’s new data protection enforcement law went live on Feb. 24, and it could pose “an additional risk” for companies. See also: French data protection authority, CNIL, published its Single Authorization Decision No. 46, which aims to simplify the “administration burden” of legal compliance upon data processing.

Facts & Stats

WW – National Security Trumps Digital Privacy: 24 Country Survey

According to a new survey commissioned by the Centre for International Governance Innovation (CIGI) and conducted by global research company Ipsos, most global citizens favour enabling law enforcement to access private online conversations if they have valid national security reasons to do so, or if they are investigating an individual suspected of committing a crime. The survey also found that a majority of respondents do not want companies to develop technologies that would undermine law enforcement’s ability to access much needed data.

  • Seven in ten (70%) global citizens agree that law enforcement agencies should have a right to access the content of their citizens’ online communications for valid national security reasons, including 69% of Americans and 65% of Canadians who agree.
  • When someone is suspected of a crime, 85% of global citizens agree that governments should be able to find out who their suspects communicated with online, including 80% of Americans who agree.
  • More contentious is the idea of whether companies should be allowed to develop technologies that prevent law enforcement from accessing the content of an individual’s online conversations. On this issue, 63% agree that companies should not develop this technology, including 60% of Americans, and 57% of Canadians whom are most likely to agree with this statement.

Read the news release here. [Centre for International Governance Innovation (CIGI)]


CA – CRA Automates Most of Your Return, Helping Tax Software

Electronic tax filing is getting easier this year with Auto-fill, a CRA service that enters information for taxpayers using most kinds of certified tax software. The CRA has always had copies of most of the forms about each taxpayer, receiving them from banks and employers before you do. Last year it began a pilot program with the service it calls Auto-fill that allowed chartered accountants and other certified tax professionals to have this data entered onto a personal tax form automatically. This year that program rolls out to everyone. As long as you are filing on a software program that offers the option and have a “MyAccount” file with the CRA, the Auto-fill function will work. Groups such as Open Media and the Canadian Civil Liberties Association say Auto-fill is too new to assess the privacy implications. The CRA insists the Auto-fill function is secure, as information is only available if a taxpayer logs into MyAccount, which requires a robust password. Ann Cavoukian, a former privacy commissioner, said it is right to worry about privacy and security whenever a new feature like this is rolled out. [Source]

WW – Google’s New Payments App Means Never Having to Pull Out Your Wallet

Pay with your voice. Google has released to the public a new app called Hands Free, which lets people pay for items in stores by simply telling the cashier, “I’ll pay with Google.” The app, available for Android and Apple phones, is only being piloted in a few locations in the San Francisco area, including some McDonald’s and Papa John’s restaurants.Hands Free, which is separate from Google’s Android Pay mobile payments app, works by tracking your location using Wi-Fi and other sensors in your smartphone to detect whether you’re near a participating store. After you say “I’ll pay with Google,” the cashier confirms your identity by using your initials and the photo you’ve loaded onto the Hands Free app. At some stores, Google is also experimenting with an in-store camera to verify your identity automatically based on your Hands Free profile picture. Google said images and data from these cameras are deleted immediately and can’t be accessed by the stores. [Source]


CA – OIPC BC Upholds City’s Decision to Withhold Records

The Office of the BC Information and Privacy Commissioner reviewed a decision by the City of Nanaimo to deny access to records requested pursuant to the Freedom of Information and Protection of Privacy Act. The City was ordered to continue to withhold records which could reveal a motion made at an in camera Committee, emails exchanged between the City and regional district containing explicit markers of confidentiality, and assessment and evaluation records of how a City employee performed his job duties. [OIPC BC – Order F16-03 – City of Nanaimo]


US – Obama Says People Who Give Genetic Samples for Research Should Own the Data

During last week’s summit on the Precision Medicine Initiative at the White House, President Barack Obama acknowledged the thorny issues surrounding genetic data ownership, a move some view as unprecedented. “It requires, first of all, us understanding who owns the data,” Obama said. “And I would like to think that if somebody does a test on me or my genes, that that’s mine. But that’s not always how we define these issues, right? So there’s some legal issues involved,” he added. “I had not heard this before from the president or anyone high-up at the White House, said Genetic Alliance’s Sharon Terry. [Slate] See also: [Manitoba DNA sweeps pose wrenching ethical questions: Carol Goar]

Health / Medical

US – Health IT Firms Ally with White House on Initiatives

The Obama administration announced that it has received commitments from various health IT developers to assist the president’s health care modernization initiatives. Among the proposed plans are allowing patients to access their records and test results with greater ease; streamlining data sharing between entities, while ensuring adherence to privacy legislation: and making the “data language” between groups universal, the report states. “We are working to unlock healthcare data and information so that providers are better informed and patients and families can access their healthcare information, making them empowered, active participants in their own care,” said Health and Human Services Secretary Sylvia Burwell. [The Hill]

EU – German Hospitals Hit with Ransomware

Computer systems at two hospitals in Germany were infected with ransomware. The cleanup process is expected to take several weeks. At Lukas Hospital in Neuss, the attack affected an x-ray system, an email server, and other network components. At Klinikum Arnsberg in North Rhine-Westphalia, the attack was detected after it infected one server. There are reports that a third hospital was targeted as well. [ZDNet] [The Register] [SCMagazine] [] See also: [The “HawkEye” attack: how cybercrooks target small businesses for big money]

UK – NHS Suffers 105 Security Breaches Over Personal Data in Year

Security breaches over personal data held by the NHS nearly doubled to more than 100 during the last financial year. Figures obtained under the Freedom of Information Act show that there were 105 such breaches in hospitals and other bodies in the National Health Service in the financial year 2014-15. This was an increase of 81% on the previous year, with 58 security breaches over personal data. The UK Information Commissioner’s Office said that action was taken to prevent repetitions, including six “enforcement notices” against NHS bodies in 2014-15. [ExaroNews]

Horror Stories

US – IRS Breach Now Estimated to Affect 724,000 People

The number of people affected by the US Internal Revenue Service (IRS) data breach keeps growing. The agency now estimates that the personal information of as many as 724,000 people has been stolen since January 2014. When the breach was first disclosed, the IRS estimated that it affected roughly 100,000 people; that figure was revised to 334,000 on August 2015. [NextGov] [NBCNews] [The Hill] [ComputerWorld] [The Register] [Krebs on Security]

WW – Companies Underestimating Breaches’ ‘Human Element’: Study

The breach catalyzed by a Snapchat employee who fell for a phishing scam is symptomatic of many companies’ data security problems. “Even if your technical security is up to snuff, your people may let you down.” A 2015 CompTIA survey found that more than half of security breaches that year were caused by human error, with 30% of respondents considering the “human element” to be a significant cybersecurity concern. The survey “suggests that companies may not be doing enough to prepare their workers for a world where a new scam might be in their inbox everyday.” [Washington Post] See also: [Hackers Can Steal Passwords, But Not User Behavior: In almost every publicized breach, security analysts ignored the crucial alerts due to the copious amounts of false alarms triggered on a daily basis]

Identity Issues

CA – Manitoba’s Multi-use PID Cards: Convenience Trumps Privacy

On January 11, 2016, Manitoba announced its approval of an all-in-one personal identification card (PIC). The PIC will offer Manitobans a combined driver’s licence, photo ID, Personal Health Identification Number (PHIN) and travel document as early as fall 2017. While the consolidation of identification into one location is a blessing for consumers, it raises privacy concerns and creates some challenges for business. BC introduced a similar combined card in February 2013. But unlike BC, where the province was criticized for not consulting the public, Manitoba Health Minister Sharon Blady emphasized that the move towards PICs came after a five-week public consultation process where overwhelmingly positive responses were reported. 80% of Manitobans surveyed said they agreed with the idea of creating an all-in-one PIC. However, a closer look at Manitoba’s full consultation report reveals interesting data on why PICs were supported. For example, when asked what the most important benefits of the proposed PICs were, 73% of respondents indicated convenience while only 18% cited enhanced protection. Similarly, in an online survey of 1,515 Manitobans, 71% rated convenience as the top benefit while only 16% indicated protection of identity theft/fraud. Public sentiment towards the convenience of PICs illustrates how privacy concerns, which trumped proposals for a national identity card in 2002, could be overlooked in today’s digital age. As a recent survey by the Pew Research Centre demonstrates, people are consistently willing to share personal information in exchange for something of perceived value. For example, 52% of respondents in the Pew survey said they would allow their doctor’s office to upload their personal health information onto a website described as “secure” if it made scheduling appointments easier and facilitated easy access to medical records. [CyberLex Blog (McCarthy Tétrault)]

CA – Inadvertent Sharing of Canadians’ Metadata by Intelligence Agency Shows Weaknesses of De-Identification

Two lawyers examine the sharing of intelligence data between the Five Eyes allies. The agency’s de-identification techniques failed when mixed with its allies’ re-identification capabilities; the risk of re-identification increases significantly where a data set includes data such as location-based data, IP addresses or cookies, or where the attack vector includes significant amounts of secondary data that can be linked to the de-identified dataset. [Why We Need to Reevaluate How We Share Intelligence Data With Allies – Tamir Israel and Christopher Parsons, Just Security]

Internet / WWW

WW – New Project Monitors Social Media for Signs of Mental Illness

Canadian and French researchers are working on algorithm to screen online posts for warning signs. $464,100 has been granted to the University of Ottawa for a three-year-long project called “social web mining and sentiment analysis for mental illness detection.”   “Social media is everywhere,” reads a news release issued by the university. “Internet users are posting, blogging and tweeting about almost everything, including their moods, activities and social interactions.”    The release goes on to explain how scientists from the universities of Ottawa, Alberta and Montpellier in France, will explore the use of social media data in screening for individuals at risk of mental health issues. [CBC]

Law Enforcement

CA – Saskatchewan Police Don’t Have or Want Stingray Tech

Municipal police agencies in Saskatchewan say they’re currently not using — and have no plans to use — “stingray” technology employed by other law enforcement agencies for tracking cellular devices. The technology has come under criticism south of the border from the ACLU; about 60 police agencies across 23 states and the DC in the U.S. have been reported to use the devices. According to a 2015 report from the ACLU, “stingrays,” also known as cell site simulators, are considered “invasive cellphone surveillance devices that mimic cellphone towers and send out signals to trick cellphones in the area into transmitting their locations and identifying information.” Brenda McPhail, director of the Canadian Civil Liberties Association’s privacy, technology and surveillance project, said stingray technology is on the rights advocacy group’s radar. She said requests for information on the devices within the Vancouver Police Department by Vancouver-based advocacy organization Pivot Legal Society, and of the RCMP and the Ontario Provincial Police by the Toronto Star in 2015, have gone largely unanswered. However, McPhail said chances are slim the device is nowhere to be found in Canada. [Saskatoon StarPhoenix] See also: [StingRays breach cell phone privacy]

US – Maryland Bill Permits Govt Use of Automatic License Plate Reader Systems

The State of Maryland has introduced a Bill related to the use of Automated License Plate Readers by law enforcement. Law enforcement agencies are not permitted to use captured data from an automated license plate reader unless the agency has a legitimate law enforcement purposes; the Department of State Police must adopt procedures including an audit process to ensure that information obtained through the use of an automatic license plate reader system is used only for legitimate law enforcement purposes, and safeguards to ensure that staff with access to the automatic license plate reader database are adequately screened and trained. [Maryland Public Safety Code 3-509 – License Plate Readers]

CA – MPPAC: RCMP Commissioner Should Resign Over Breach

The Mounted Police Professional Association of Canada (MPPAC) is calling for the resignation of the RCMP Commissioner Bob Paulson, following an investigation from the Office of the Privacy Commissioner of Canada which found that the release of RCMP members medical information was a “well-founded serious privacy breach.” Commissioner Paulson admitted that he authorized the investigation. Just this week Commissioner Paulson admitted to authorizing the release of sensitive health information of RCMP officers to the College of Psychologists without their permission. Canada’s Privacy Commissioner concluded that by sharing private medical information without the consent of the officers, the RCMP breached the Privacy Act. If the Commissioner does not resign, MPPAC is calling on the Government of Canada to take appropriate action. [Canada NewsWire]

Online Privacy

WW – Protect Your Privacy Online—and See Better Prices Doing It

The prices you see while shopping on the Web are aren’t always the same as the deals displayed to your spouse, neighbors or co-workers. But now, at least one technology company is helping customers see the unadulterated costs of their online purchases. eBlocker is a device that attaches to customers’ Wi-Fi routers to mask their identity from online tracking software. eBlocker protects every device in your home by combining the power of an advertising blocker, an IP address rerouter and by protecting you from being identified by third-party trackers. In other words, when you get online, you get a clean slate as if you’ve never used that device before. You can still use first-party cookies, like those that remember your passwords, but once you leave that website, you’re anonymous again. It’s like a combination of encryption, Adblock Plus and Tor, a so-called onion router often associated with the “dark Web.” But eBlocker avoids the hassle of installing all these on each device. It’s all part of an elaborate industry aimed at stopping a largely opaque phenomenon of online tracking: dynamic pricing. [CNBC]

Other Jurisdictions

AU – NSW May Introduce Tort/Law of Invasions of Privacy

Secret mobile phone recordings and revenge porn-style social media posts could be subject to tough new laws in NSW allowing people to sue for damages for invasion of privacy. The State Parliament’s law and justice committee recommended that NSW should “lead the way” in Australia in creating a new legal action for serious invasions of privacy. The laws could be replicated across the country. Under the plan, a person could sue for damages if their privacy had been invaded intentionally or recklessly. Governments and corporations would be held to a higher standard, and could also be pursued for damages over “big data”-style privacy breaches committed negligently. But experts have raised questions about whether the laws go too far, and might catch a wide range of “common human errors” such as government or corporate employees sending an email containing private information to the wrong recipient. The recommendations, endorsed unanimously by committee members drawn from the ranks of the Coalition, Labor and the Greens, follow renewed debate about the adequacy of existing laws protecting against invasions of privacy. [Sydney Morning Herald]

Privacy (US)

US – Apple Wins Ruling in New York iPhone Hacking Order

U.S. Magistrate Judge James Orenstein denied a government request that Apple help it gather data from an iPhone in a drug case, a ruling that bolsters Apple’s pro-privacy posture and potentially paves the way for similar judgments in other pending cases, including the iPhone of one of the San Bernardino shooters. Orenstein ruled the government was expanding its authority too broadly by using the All Writs Act to compel Apple to extract the locked phone’s data. Apple’s top lawyer, Bruce Sewell will testify in front of Congress today, along with FBI Director James Comey, on encryption and government access for law enforcement purposes. Meanwhile, Sen. Mark Warner, D-Va., and Rep. Michael McCaul, R-Texas, have officially introduced legislation that would create a National Commission on Security and Technology Challenges to help find solutions to the encryption and data security issue. [New York Times] See also: [Privacy groups wary of compromise encryption bill]

US – NY Court Rejects FBI Argument for Breaking iPhone Lockscreen in 2nd Case

Apple just won a victory in an iPhone warrant case although it may not help the company in its San Bernardino trial. The victory comes from a New York district court that’s been facing something legally similar to the higher-profile warrant case playing out in San Bernardino. In a 50-page ruling, Magistrate Judge Orenstein found that the All Writs Act did not justify the government’s request, and denied the government’s request to legally compel Apple’s help. [The Verge] See also: [Huge data cache retrieved from electronic devices belonging to men accused of Tim Bosma murder: OPP]

US – Legislators Speak Out in Support of Apple

Representative Darrell Issa (R-California) has published a column on in which he writes, “The FBI cannot mandate that Apple create a backdoor to override the iPhone’s encryption features without creating a dangerous precedent that could cast a long shadow over the future of how we use our phones, laptops, and the internet for years to come.” [Wired] In a letter to FBI Director James Comey, US Congressman Ted Lieu (D-California) writes, “As a computer science major, I have seen far-reaching unintended consequences when government applies outmoded concepts to out fast changing technological world.” [FCW] As the debate surrounding the FBI’s case against Apple continues, two U.S. lawmakers have proposed a new multi-stakeholder commission to investigate data security issues.

US – Digital Equilibrium Project on Privacy and Security in the Connected World

The Digital Equilibrium Project, a collection of privacy and infosecurity veterans from government and industry have launched a white paper to define the issue and announce plans for a summit this summer to tackle what they describe as the “growing tension between privacy and security.” This paper is meant to foster a new, collaborative discussion on the most pressing questions that could determine the future safety and social value of the internet and the digital technologies that depend on it. It urges governments, corporations and privacy advocates to put aside the polarizing arguments that have cast security and privacy as opposing forces, posing 4 fundamental questions that must be addressed to ensure the digital world can evolve in ways that ensure individual privacy while enabling the productivity and commercial gains that can improve quality of life around the globe. Ann Cavoukian is among the authors. [Read Now]

US – California DMV Sued for Alleged Illegal Data Retention

Six plaintiffs maintain that California’s Department of Motor Vehicles breached the Information Practices Act and due process by unlawfully collecting and sharing private criminal records. The court papers, filed last week, argue that the agency has a trove of “upwards of one million” Californians’ data, a move that “violates privacy protections for certain records by retaining them after the statutory period has expired,” the report states. “California employers are aware that the DMV’s loose record retention and reporting practices allow them access to criminal history records they would otherwise be unable to obtain,” the suit states. “They take full advantage of this criminal record reporting loophole.” [Courthouse News]

Privacy Enhancing Technologies (PETs)

US – DHS Awards Yale University $1.7M for Data Privacy Research

Yale University’s “PriFi Networking” project now has $1.7 million from the Department of Homeland Security, a grant from the agency that aims to assist the university’s anti-tracking and surveillance technology development. The gift was thanks to the DHS Science and Technology Cyber Security Division’s Data Privacy program that invests in the creation of cost-effective and approachable pro-privacy tools. “Keeping the homeland secure depends on both guarding and granting access to secure systems, facilities, and other resources,” said DHS Undersecretary for Science and Technology Dr. Reginald Brothers. “Protecting Personally Identifiable Information is vital to the DHS mission and S&T has a long-standing interest in privacy-enhancing technologies.” [Newswise]


US – IBM to Acquire Resilient Systems, Bringing Bruce Schneier on Board

Cybersecurity firm Resilient Systems and its Chief Technology Officer Bruce Schneier will become a part of the IBM family. “The acquisition will give IBM Security the industry’s first integrated end-to-end platform combining analytics, forensics, vulnerability management and incident response,” the report states. “The deal should be good for both companies, and will certainly benefit their respective customers.” [PCWorld]

US – CFPB Dives Into Data Security Enforcement

On March 2, 2016, the Consumer Financial Protection Bureau (CFPB) announced its first data security enforcement action in the form of a Consent Order with online payment platform Dwolla, Inc.  The five-year Consent Order is based on CFPB allegations that Dwolla engaged in deceptive acts and practices by misrepresenting to consumers that it had “reasonable and appropriate data security practices.”  Dwolla neither admitted nor denied that it engaged in data security misrepresentations.  The CFPB fined Dwolla $100,000, enjoined it from making further misrepresentations, and is requiring that it develop a written, comprehensive data security program, designate a person responsible for the program, provide employee training, conduct risk assessments, and undergo independent third party audits annually, among other things.  The CFPB also places primary responsibility for compliance with the Consent Order on Dwolla’s board of directors. [HLDA]

WW – Securing Data for Remote Access Users

Business requirements, distributed operations, and cloud deployments are forcing organizations to rethink remote access requirements, including how to secure the data and applications they access. According to a study conducted by software company Intuit, by 2020 more than 40% of the U.S. workforce will be contractors and contingent workers; that’s more than 60 million people. Why so? Because of the almost ubiquitous needs for organizations to share data in such a way that it speeds the flow of business transactions. The result is that most users are outside the enterprises, accessing data and applications as credentialed guests. And hence, the ‘outside-in’ network is the new normal. [Source]


US – California Courts Demand Total Access to Email and Social Media Accounts

The California Electronic Communications Privacy Act. Which took effect on Jan 1, 2016, has privacy advocates concerned that its “Fourth waiver” element railroads the privacy of individuals under probation or parole. This component of the act permits law enforcement to check the laptops or other devices of individuals on parole without a warrant. “Folks on parole, probation, even supervised release, they have a reduced expectation of privacy while they’re under supervision,” said the ACLU of California. “But that’s not the same as no right to privacy online or offline.” [The Intercept]

Telecom / TV

US – Cable/Telecom Operators Offer Up Privacy Framework to FCC

The National Cable & Telecommunications Association and American Cable Association have joined with other trade and tech groups to offer up what is being billed as a consensus privacy framework outlining guiding privacy principles. In essence, the framework is an articulation of NCTA’s argument that rather than come up with new rules and regs, the FCC should, as the new proposal says, “[pursue] reasonable enforcement actions against telecommunications service providers that have clearly violated these principles.” That is the FTC model. The FTC has enforcement authority but very limited authority to promulgate new regulations. The proposal, which was offered up in a letter to FCC chairman Tom Wheeler comes as the FCC prepares a proposal on how to oversee broadband sub privacy–a new authority under its Title II reclassification–as it currently does traditional video CPNI (customer network proprietary information). A vote on that proposal could come as early as this month’s public meeting. NCTA and ACA, joined by USTelecom, CTIA and the Competitive Carriers Association, said the FCC should focus on four things: “(1) transparency; (2) respect for context and consumer choice; (3) data security; and (4) data breach notification.” [Source] See also: [The 5 Things Every Privacy Lawyer Needs to Know about the FTC]

US – Publishing Group Calls on FCC to Regulate Broadband Data Use

As the Federal Communications Commission begins to draft privacy regulations for broadband providers, online publishing group Digital Content Next advised the FCC to ensure broadband companies both inform and empower their customers about the companies’ use of personal data. “In light of their access to sensitive information about consumers, we urge the FCC to require broadband providers to provide consumers with transparency and meaningful choice with regard to the collection and use of personal information,” DCN wrote in its letter to the FCC. “Consumers should have the ability to exercise choice via a mechanism that is easy to use, persistent and universal.” [MediaPost]

US – Swire Study: Encryption, Mobile Devices Curb ISP Knowledge

In a new report, Alston & Bird’s Peter Swire says that the employment of encryption and mobile devices has shrunk Internet service providers’ knowledge regarding their customers’ online habits. His study aims to counter advocacy groups’ “widely-held but mistaken view about Internet service providers and privacy,” he said, one that sees ISPs as entities collecting treasure troves of user data without consent. While staying away from definitive policy suggestions, Swire says overall, “public policy should be consistent and based on an up-to-date and accurate understanding of the facts of this ecosystem.” [MediaPost]

US Government Programs

US – TSA Defends Full-Body Scanners at Airport Checkpoints

Three years, more than 1,000 comments and multiple challenges by advocacy groups later, the TSA issued a rule finalizing its policy for using full-body scanners at airports. While TSA insists the machines are the best way to protect the nation’s travelers from terror attacks, critics challenge the use of devices over privacy and health concerns. The legal battle went all the way to an appeals court, which said TSA could keep the machines if it took legal steps to justify their use. In a 157-page report that summarizes arguments for and against the machines, and their hefty price tag — $2.1 billion from 2008 through 2017 — the agency said the devices provide “the most effective and least intrusive” way to search travelers for weapons hidden under their clothes. And with that, the agency finalized its regulation governing the machines. The rule won’t change anything for travelers. Even as the question wound its way through courts, TSA deployed the machines and now uses 793 full-body scanners at 157 airports. [Source]

US Legislation

US – Legislative Roundup




Privacy News Highlights: 22-29 February 2016


CA – Mastercard to Bring ‘Selfie Pay’ to Canada This Summer

MasterCard will officially be rolling out its biometric payment service, MasterCard Identity Check – a smartphone app which allows users to verify purchases by taking a selfie instead of entering a password – to 14 countries, including Canada, this summer, the company announced this week according. The service, which MasterCard has tested in app form with nearly 1,000 consumers in the U.S. and Netherlands, requires users to provide a photo of their face when signing up, after which the service measures prominent facial “landmarks” and converts them into an algorithm that can be compared to future pictures. To avoid fooling the app with an existing picture, users must blink while snapping the photo to prove their humanity. Biometrics carry their own set of risks: many of us have posted our faces on multiple websites or had them picked up by surveillance cameras – and it’s difficult, for the average person to change their face. Other smartphone companies such as Apple and Samsung have incorporated biometrics technology including facial recognition and fingerprint scanning software into their devices, and hackers have proven themselves capable of bypassing them. Details regarding the Canadian version of Identity Check, which has already been colloquially dubbed “selfie pay,” are not yet available. [ITBusiness] [video explaining the technology]


CA – CSE Unlawful Sharing of Metadata Went on for Years

It’s impossible to know how many Canadians had their personal data shared by the country’s electronic spy agency in a metadata glitch, according to its watchdog. Jean-Pierre Plouffe, commissioner of the Communications Security Establishment (CSE), told a Senate committee Monday that data were erased from the agency’s system, making it difficult to find out the number of people impacted. A month ago, Plouffe tabled his annual report in the House of Commons, revealing for the first time that CSE illegally and unintentionally shared metadata with Canada’s Five Eyes intelligence allies: the United States, United Kingdom, Australia and New Zealand. That data may include Canadians’ personal information, including phone numbers or email addresses, but not the content of emails or recordings of phone calls.

“It’s not accidental,” Plouffe said in an interview about the CSE breaking the law. “It’s because of a lack of due diligence.” Metadata is information associated with communication that is used to identify, describe or route information. CSE is supposed to monitor only foreign communications for intelligence that may be of interest to Canada. [CBC] [Canadian electronic spy agency’s unlawful metadata sharing went on for years before being fixed] [Outrage over CSE metadata collection and blunders ‘Difficult to determine’ scope of privacy breach in Five Eyes data sharing ]

CA – CSIS Using New Powers to Disrupt Terrorists Since Bill C-51 Became Law

Powers to disrupt include blocking financial transactions, shutting down websites. The disruption powers allow CSIS to interfere with, telephone calls, travel plans and bank or financial transactions. The agency can also disrupt radical websites and Twitter accounts of groups or people inside and outside of Canada. This provision in the act has garnered criticism from the outset, because there is no clear definition of what “disrupt” means in the legislation, causing some to be concerned the power would be abused by police and intelligence services. [Source] [Canada: CSE can assist in ‘threat reduction’ without a warrant, documents show]

CA – PEI’s OIPC Finds Privacy Breaches by 5 Gov’t Agencies

P.E.I.’s Information and Privacy commissioner has ruled five different provincial government departments and agencies violated the privacy of someone who filed multiple applications under the Freedom of Information and Protection of Privacy Act by circulating his name, mailing address, telephone number, email address and signature with copies of his requests for information. After submitting applications for information from the various government agencies, the applicant filed a complaint with the commissioner, saying his personal information and details about his access requests were shared among them, and as a result, his requests were subjected to an “unequal, prejudicial and arbitrary process.” The privacy commissioner determined a meeting had taken place, but said there was insufficient evidence that “any public body improperly collected the complainant’s personal information” during the meeting. However, the commissioner concluded all five public bodies did violate the privacy of the applicant by circulating his name, mailing address, telephone number, email address and signature with copies of his requests for information. The commissioner said she believed the violation was inadvertent. The commissioner noted all public bodies have since been told to sever personal information from information request forms. The applicant also charged one of the agencies involved, the P.E.I. Liquor Control Commission, violated his privacy by compiling personal information from internet searches, including his photo, employment history and educational background. The commissioner agreed the information was collected, but determined that did not constitute a breach because it was publicly available, and it was gathered in order to respond to the applicant’s privacy complaint. [Source]

Other Ontario News


US – Cognitive Dissonance in How Americans Value Privacy: Survey

How much do Americans really value their online privacy? According to study findings, a considerable majority of 63% of respondents experienced some sort of online security issues. But despite the frequency of these issues, just over half of them (56%) actually made permanent behavior changes to guard against their reoccurrence. 24% of respondents admitted to using unsecured public Wi-Fi, meaning that their data is effectively ripe for the picking, “quite often or all the time.” And despite the fact that 67% said they wanted extra layers of privacy, a very small percentage actually utilize available tools to this end. In fact, only 16% use privacy-enhancing browser plug-ins, just 13% use two-factor authentication, only 11% use a VPN, and just 4 percent use anonymity software. [Source]


CA – Legal Trends 2016: Anti-Spam

In each of the three instances in which the CRTC entered into an undertaking in 2015, the undertaking included a monetary payment (ranging from C$48,000 to C$200,000) and an agreement by the company to update and implement a compliance program that would (1) cover elements such as corporate compliance policies and procedures, training and education, monitoring, auditing, and reporting mechanisms, and (2) apply consistent disciplinary procedures. In one enforcement action, the CRTC took issue with the fact that a company was allegedly sending CEMs to email addresses without proof of consent for each recipient. [Mondaq]


US – Apple Faces U.S. Demand to Unlock 9 More iPhones

The Justice Department is demanding Apple’s help in unlocking at least nine iPhones nationwide in addition to the phone used by one of the San Bernardino, Calif., attackers. The disclosure appears to buttress the company’s concerns that the dispute could pose a threat to encryption safeguards that goes well beyond the single California case. Apple is fighting the government’s demands in at least seven of the other nine cases. “Apple has not agreed to perform any services on the devices.”. Starting in December, Apple has in a number of cases objected to the Justice Department’s efforts to force its cooperation through a 1789 statute known as the All Writs Act, which says courts can require actions to comply with their orders. [The New York Times] [Apple, the FBI, and the All Writs Act] [The Lowdown on the Apple-FBI Showdown] [Apple calls for commission to discuss FBI’s iPhone unlocking demands]

Facts & Stats

WW – Gov’t Accounted for 43% of 2015 Breaches Worldwide

Digital security firm Gemalto this week released its latest Breach Level Index database report which revealed that 707 million records worldwide were compromised in 1,673 data breaches across the globe during 2015. That breaks down to a staggering 1,938,383 records lost every day, or 22 per second. Unsurprisingly, 1,222 of last year’s incidents occurred in the U.S., and Gemalto estimated 419.7 million records were compromised. Government agencies were hit the hardest in 2015 and comprised 43 percent of all recorded breaches, skyrocketing up a full 476% from the previous year. Unsurprisingly, incidents in the healthcare sector resulted in 134 million compromised records, a 217% jump from 2014. Quieting fears that attackers are mainly after financial information, the report shows that only 22% of incidents were designed to steal financial data. On the other hand, a full 53% were aimed at identity theft. “If security executives needed further evidence that identity theft is a still a serious problem,” said researchers. “This is it.” The report contained a wealth of information and tips aimed at security professionals, but records protection is obviously a concern for records managers as well, so it’s worth a quick read. [Source] [Gemalto’s Breach Live Index Report]


CA – PEI Province Must Turn Over Documents on E-Gaming Loan

The P.E.I. government has been ordered to release a document that outlines details of a $950,000 government loan that funded the province’s controversial e-gaming scheme. P.E.I. Privacy Commissioner Karen Rose delivered this ruling as a result of a FOI request by TC Media requesting details of this e-gaming loan. The province refused to disclose a one-page document that provides a breakdown of where and how the money from the e-gaming loan was to be spent. In her decision, Rose states the financial e-gaming document is not information that belongs to the Mi’kmaq Confederacy and is thus a public document. She also determined the information within this record was not supplied in confidence nor was there sufficient evidence provided that disclosing the information would significantly harm the confederacy’s competitive or negotiating position. However, she rejected TC Media’s assertion the information falls within the public interest, citing an interpretation that this argument can only be used if it is matter of “compelling public interest,” applying mainly to matters of health or safety and not to political issues. [Source]

CA – OIPC NS Find Jobs Forecast and Actual Jobs Report Can be Released

The Office of the Information and Privacy Commissioner in Nova Scotia reviewed a decision by the Nova Scotia Business, Inc. to refuse to disclose records pursuant to the Freedom of Information and Protection of Privacy Act. The public body successfully claimed that jobs information supplied by third parties applying for financing and rebates was provided in confidence (the proprietary information was submitted on the basis of it being held in the strictest of confidence), but did not establish that there was a reasonable expectation of harm if released (no evidence was provided that it would significantly harm the third party’s planned growth or rebate performance targets). [OIPC NS – Review Report 16-01 – Nova Scotia Business Inc.]


CA – OPC Voices Support for Genetic Discrimination Bill, But Wants Changes

Daniel Therrien testified at the Senate human rights committee on Bill S-201, which aims to prevent discrimination against a person based on their genetic testing. He offered broad support to Senator James Cowan’s bill that would prevent unsanctioned access to a person’s genetic test results, but worried that changes it would make to federal privacy laws could cause unintended consequences in future court cases.

“It’s crucial individuals remain in control to their data,” he told the committee. Therrien spoke in favour a clause which would prohibit the collection or use of “the results of a genetic test of the individual without the individual’s written consent.” He said it creates a “good and balanced way to represent the wishes of those who wish to share their genetic test results and those who do not.” But Therrien recommended removing clauses that would add a definition for “personal information” into the Privacy Act by adding the wording “information derived from genetic testing of the individual.” [iPolitics]

Health / Medical

US – OCR Releases mHealth Guidance for App Developers

Following the launch of its mHealth Developer Portal last October, the HHS Office for Civil Rights (OCR) has released guidance clarifying how HIPAA applies to mobile health apps. Ensuring that developers understand their legal obligations is critical to protecting consumer privacy and security, especially now that there are more than 165,000 health apps available in the iTunes and Android app stores. A more clear understanding of how the rules apply can also help bring down barriers to innovation. The guidance, titled “Health App Use Scenarios& HIPAA,” builds on the mHealth Developer Portal, which serves as a platform for users to share difficult use cases and best practices. On the portal, developers can also submit questions to OCR that will inform future guidance releases. OCR announced the guidance with a statement that the agency hopes it will help developers determine “how federal regulations might apply to the products they are building” and reduce uncertainty. The guidance offers developers background information on HIPAA and then details various scenarios, identifying when an app developer is—and is not—acting as a business associate. [Source]

CA – Edmonton Health Worker Fined For Illegally Accessing Patient Information

An Edmonton health worker who admitted to illegally accessing the medical records of seven people has been fined $1,000. Denise Tourneur pleaded guilty Feb. 5 to the violations under the province’s Health Information Act. The Court heard the breaches occurred on 44 separate occasions between September 2011 and September 2013. The guilty plea is the fourth conviction under the Health Information Act since the legislation came into force in 2006. However, the amount of the fine is considerably lower than past penalties. [The Winnipeg Sun]

CA – OIPC AB Orders Public Body to Implement Safeguards to Protect Personal Health Information from Unauthorized Access and Disclosure

The OIPC AB reviewed the results of an investigation conducted by the Alberta Health Services (“public body”) into a potential breach of personal health information by a nurse (“Affiliate”). The policy that a public body had in place regarding the monitoring and auditing of IT resources establish the public body’s intent to protect unauthorized use or access; this policy remained in place when a nurse inappropriately accessed, used, and siclosed the personal health information of a patient; the public body must implement mechanisms to ensure that individual’s are in compliance with policies at all times and that patient health information is safeguarded. [OIPC AB – Order H2016-02 – Alberta Health Services]

Identity Issues

US – Secret Police? Virginia Considers Bill to Withhold All Officers’ Names.

It started with a reporter’s attempt to learn whether problem police officers were moving from department to department. It resulted in legislation that is again bringing national scrutiny to the Virginia General Assembly: a bill that could keep all Virginia police officers’ names secret. The Virginia Senate has already approved Senate Bill 552, which would classify the names of all police officers and fire marshals as “personnel records,” exempting them from mandatory disclosure under the state’s freedom of information law. In a climate where the actions of police nationwide are being watched as never before, supporters say the bill is needed to keep officers safe from people who may harass or harm them. But the effort has drawn the attention of civil rights groups and others who say police should be moving toward more transparency — not less — to ensure that troubled officers are found and removed. If it is made law, experts say the restriction would be unprecedented nationwide. [The Washington Post]

Law Enforcement

US – Fed Judge Limits 1st Amendment Right When Videorecording Cops

Court: No First Amendment right to videorecord police unless you are challenging the police at the time. In recent years, lower federal courts have generally held that the First Amendment protects a right to videorecord (and photograph) in public places, especially when one is recording public servants such as the police. Because recording events that you observe in public places is important to be able to speak effectively about what you observe, courts held, the First Amendment protects such recording. Some restrictions on such recording may be constitutional, but simply prohibiting the recording because the person is recording the police can’t be constitutional. This is the view of all the precedential federal appellate decisions that have considered the issue. [Watch: What you need to know about filming the police]. But Friday’s federal trial court decision in Fields v. City of Philadelphia takes a different, narrower approach: There is no constitutional right to videorecord police, the court says, when the act of recording is unaccompanied by “challenge or criticism” of the police conduct. Therefore, the court held, simply “photograph[ing] approximately twenty police officers standing outside a home hosting a party” and “carr[ying] a camera” to a public protest to videotape “interaction between police and civilians during civil disobedience or protests” wasn’t protected by the First Amendment. [Source]

Privacy (US)

US – Former Employee Deletes Data, Gets Prison Sentence

A US district judge in North Carolina has sentenced Nikhil Nilesh Shah to 30 months in prison for sabotaging his former employer’s servers. Shah was an IT manager at SmartOnline. He left that company in March 2012, and in June of that same year, he sent malicious code to his previous employer’s servers, deleting much of the company’s intellectual property. [The Register] [SCMagazine] []

US – Asus Settles FTC Charges Over Unsecure Home Routers

Asus has agreed to the terms of a settlement with the US FTC regarding vulnerabilities in its home routers and cloud services. The FTC noted that Asus frequently “did not address security flaws in a timely manner and did not notify customers about the risks posed by the vulnerable routers.” The settlement calls for Asus to establish and maintain a comprehensive security program and to undergo audits every two years for the next 20 years. [FTC] [eWeek] [SCMagazine] [The Register] [ComputerWorld]


WW – Obama’s National Action Plan on Cybersecurity Addresses IoT

The White House’s national action plan on cybersecurity addresses concerns about the security of the Internet of Things (IoT). According to the plan, the US Department of Homeland Security (DHS) is working with Underwriters Laboratories to develop a cybersecurity assurance program that could evaluate IoT devices before they go to market. [NextGov]

CA – OPC Releases Research Paper on Internet of Things

The OPC released a research paper titled ‘The Internet of Things (IoT): An introduction to privacy issues with a focus on the retail and home environments’, which examines the key privacy challenges posed by the IoT, such as customer profiling, accountability, transparency, and information security. The Paper assesses whether the definitions of both consent and personal information, as included in the current privacy regulation, are suitable for a ‘fast-developing online environment’ as the IoT. The Paper also considers various technologies used by the retail industry to monitor consumer behaviours, such as wearables and smartphone apps, and to connect the devices among them, namely cellular, Wi-Fi, Bluetooth, Near Field, communication and Radio-Frequency Identification. The Paper does not offer specific guidance to them or propose any new regulatory measures.” [Source]

WW – Microsoft, Cisco, Intel and others Form Open Iot Standards Group

Microsoft is leading a band of tech titans to found a new Internet of Things standards group. The Open Connectivity Foundation (OCF) will seek to define interoperability standards for the billions of internet-connected devices expected to arrive in the next few years. Up until now the OIC was in competition with the Allsee Alliance, another IoT standards group formed in 2013, with members such as Microsoft, Electrolux, and Qualcomm — all of whom are now part of the OCF. There’s also the two-year-old Industrial Internet Association formed by Intel, IBM, ATT, Cisco, and GE. [ZDNet]

WW – IoT: SimpliSafe Alarms Transmit Codes in Plaintext

SimpliSafe wireless home alarm systems are vulnerable to replay attacks.

The system’s keypad uses the same, unencrypted personal identification number each time it sends a message to the base station. Attackers could sniff the code, then replay it to trick the system into thinking that a home is secured when there is actually a break-in occurring. The microcontroller chips used in the system are write-once, which means they cannot be updated with firmware. SimpliSafe is used in more than 200,000 homes. [Ars Technica] [The Register]


WW – Eliminating Browser Plugins Improves Security, Decreases Functionality

In an effort to improve security, browser makers have begun disabling plugins. Oracle said last month that it would end support for its Java plugin. The plugin will be “deprecated” in the next release version of Java Development Kit, which is scheduled for release next year. [eWeek]

US – California AG Says Not Adopting Critical Security Controls Indicates “Failure to Provide Reasonable Security”

A report from the California Attorney General’s Office includes recommendations for organizations to protect their systems from breaches. The “report clearly articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches, and better protect the public and our national security.” The report recommends organizations adopt the Center for Internet Security’s Critical Security Controls as the start of a comprehensive information security program. The Attorney General’s Office stated “not doing so would be indicative of an organization’s failure to provide reasonable security.” [Source] [SANS Critical Controls]

US – California Data Breach Report Identifies Exploited Flaws and Defines Legal Minimum Standard of Due Care for Cyber Security

The California Data Breach Report “provides an analysis of the data breaches reported to the California attorney general from 2012-2015.” In nearly all cases, the breaches exploited vulnerabilities for which fixes had been available for more than a year. California state law states, “A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature if the information.” The report goes on to say that organizations that do not implement the Center for Internet Security’s (CIS) 20 Critical Security Controls would be found to demonstrate “a lack or reasonable security.” [NextGov] [NatLawReview]

WW – PwC Report: Cybercrime Second Most Reported Economic Crime

According to PwC’s Global Economic Crime Survey 2016, nearly one-third of organizations surveyed said they had experienced cybercrime. The report explains the surprisingly low percentage by noting, “the insidious nature of this threat is such that of the 56% who say they are not victims, many have likely been compromised without knowing it.” The report also found that just 37 percent of organizations have established a cyber incident response plan. “Many boards are not sufficiently proactive regarding cyber threats.” The report draws its statistics from responses from more than 6,000 organizations in 115 countries. [ZDNet] [Newsmarket]

US – IRS reports 400% increase in phishing& malware in the past 12 months

The US tax-filing season has only been under way for a month, but already the IRS is warning that it’s seen a 400% surge in phishing and malware compared with the previous tax year. Phishing messages are asking taxpayers about a wide range of sensitive information, including data related to refunds, filing status, confirmation of personal information, transcript orders and PIN verifications. The messages are rigged to look official, as if they came from the IRS itself or from others in the tax industry, such as tax software companies. The phishing attempts are being seen in every part of the country, the IRS says. [Source]


Texas – City Dumps License Plate Readers for Being “Big-Brotherish”

At the beginning of the year, the City of Kyle, Texas, approved a controversial agreement to install automated license plate recognition (ALPR) technology in its police vehicles. The devices would come at no cost to the city’s budget; instead, police would also be outfitted with credit card readers and use ALPR to catch drivers with outstanding court fees, also known as capias warrants. With each card swipe, an added 25% surcharge would go to Vigilant Solutions, the company providing the system. As an added bonus the company would also get to keep all the data on innocent drivers collected by the license plate readers—indefinitely. But before the license plate readers could even be installed, the Kyle city council voted 6-1 to rescind the order. The reason: public and media outcry over how the system would turn police into debt collectors and data miners. In late January, EFF published a report about Vigilant’s latest business scheme: licensing ALPR systems to law enforcement agencies for free, in exchange for their participation in what Vigilant calls its “Warrant Redemption Program.” In addition to the City of Kyle, the City of Orange and Guadalupe County in Texas had also signed similar deals. [EFF]

US Legislation

US – Obama Signs Bill Extending Privacy Protections to Allies

President Barack Obama signed legislation that would extend some U.S. privacy protections to citizens of allied countries and let foreigners sue the U.S. government if their personal data is unlawfully disclosed. The bill extending certain privacy protections was aimed at shoring up trust among European allies following leaks by former NSA contractor Edward Snowden. Obama said the new law makes sure data is protected under U.S. privacy laws, “not only American citizens, but also foreign citizens.” Even as the U.S. government works to protect American’s security, Obama said “we’re mindful of the privacy that we cherish so much.” Supporters say extending privacy protections helps ensure that other nations will continue sharing law enforcement data with the United States. [The Winnipeg Free Press]

US – Congress Looks to Boost Email Privacy; Increase Social Media Surveillance

While civil liberties advocates are encouraged by the House push to protect Americans’ emails, they are keeping a close eye on separate efforts by lawmakers to increase surveillance of social media. Earlier this month, the Senate Homeland Security and Governmental Affairs Committee approved the bipartisan Combat Terrorist Use of Social Media Act, which requires President Obama to develop a comprehensive strategy to counter terrorists’ use of social media. The Obama administration has been promising such a strategy since late 2011. [Source]

US – DC Introduces Bill Prohibiting Tracking of School Issued Devices

Bill 21-0578, Protecting Students Digital Privacy Act of 2016, was introduced and referred to the Committee on Education. Device location tracking technology cannot be used to track a device given to students unless the student has reported the device missing or stolen, a judicial warrant has been obtained or it is necessary to respond to an imminent threat to life or safety; students cannot be required to or coerced into providing usernames and passwords or providing any school personnel with access to personal social media accounts. [B21-0578 – Protecting Students Digital Privacy Act of 2016]




15-21 February 2016


US – The American Government Plans to Scan Your Eyes at Border Crossings

The US government is using eye scans and facial recognition technology for the first time to verify the identities of foreigners leaving the country on foot — a trial move aimed at closing a long-standing security gap, officials announced. Before now, foreigners who left the country were rarely checked by U.S. authorities as they walked into Mexico or Canada through ports of entry. The checkout system that launched Feb. 11 at a busy San Diego border crossing with Mexico aims to ensure those who enter the country leave when their visas expire and identify those who violate that. Up to half of people in the U.S. illegally are believed to have overstayed their visas. Authorities are using the trial runs to determine which technology is the fastest, most accurate and least intrusive in screening people coming and going at all land crossings along the 3145-kilometre border with Mexico. Final results are expected this summer, with the goal of expanding the checks to all land, air and sea ports. Federal officials say they will not share or retain the data collected in the trial runs, but it is not clear how the information will be used if the program is adopted permanently. [Source]


CA – OIPC SK Unable to Determine if Employee Access to Individual’s Personal Information Was for Legitimate Purposes

The Saskatchewan IPC investigated a complaint alleging improper disclosure of personal information by an employee of Saskatchewan Government Insurance. The employee conducted a specific license plate search on a vehicle belonging to the individual; the individual argues that she has a contentious relationship with the employee, however the search was a typical part of the employee’s duties. The government agency must evaluate solutions to determine whether employee access is for legitimate business purposes. [Investigation Report 189-2015 – Saskatchewan Government Insurance]

CA – OIPC AB Upholds Educational Institution’s Disclosure of Student’s PI in the Course of a Conflict Resolution Process

This OIPC AB order investigated the alleged unlawful collection and disclosure of a student’s personal information by Bow Valley College pursuant to Alberta’s Freedom of Information and Protection of Privacy Act. An academic official reasonably communicated PI about one student in emails to 2 supervisors, to ensure that the students did not have contact with one another and to decide if further disciplinary action might be necessary; the student’s PI was secure because email messages remain only within the internal computer network (monitored for security threats, viruses and unauthorized access) and employees’ email accounts are password protected. [Order F2016-01 – Bow Valley College]

CA – Airlines Should Be Able to Exchange Info on Unruly Passengers: Air Canada

Air carriers should be allowed to share information about unruly passengers to help keep the skies safer, Canada’s largest airline says. A carrier can ban people with a history of disruptive behaviour from taking further flights with that airline, Air Canada notes in a submission to the federal government. But legislation does not permit airlines to exchange information about passengers, even when they believe them to be a safety risk to others. In the submission to a federal review of the Canada Transportation Act, Air Canada says safety “should always be first and foremost.” A report flowing from the review — likely to include some recommendations about air safety — is expected to be made public in coming weeks. The federal privacy commissioner’s office said it was unaware of Air Canada’s sharing proposal, had not studied the issue and could provide no comment at this time. [The Canadian Press]


WW – New Tool from Nymity Aims to Simplify Privacy Management

Nymity announced its newest privacy management tool, the Nymity Planner. The “activity based” Nymity Planner “helps privacy offices operationalize compliance, document evidence and resources, delegate accountability, and ‘plan’ privacy management throughout the organization,” the report states. It also includes a GDPR add-on, so companies can consider GDPR compliance as they work to increase privacy protections in their organization. Nymity also has plans to include a Privacy Shield add-on. “The solution will prove to be highly valuable for those privacy officers who are looking to embed, manage, and report on structured privacy management across their organization,” said Nymity’s Constantine Karbaliotis, [GlobeNewswire]


CA – Update on CRTC CASL Compliance and Enforcement

On February 10, 2016, Lynne Perrault and Dana-Lynn Wood of the CRTC provided the latest in what is becoming a series of CASL briefings, as part of an “on-going dialogue” with industry. The CRTC now has a year and a half of enforcement experience under its belt for the Commercial Electronic Messages (CEMs) provisions of CASL, so this presentation focused on patterns and issues that have emerged in that period, and some guidance in response to those issues, including complaint statistics, priorities, and enforcement and other compliance issues. [Canadian Tech Law Blog] See also: [If you hate telemarketers, you’ll love this robot designed to waste their time]

Electronic Records

US – ONC: Patient Comfort Levels With EHRs, Data-Sharing On the Rise

A nationwide survey from Office of the National Coordinator for Health IT conducted between 2012 and 2014 indicates patients are growing more comfortable with electronic medical records and support data-sharing, though a summary from the agency notes that the survey took place before several major healthcare data breaches in 2015. Preserving patient trust is an essential part of establishing an interoperable health IT infrastructure. A study from the University of Wisconsin-Milwaukee and Dartmouth College based on the 2012 Health Information National Trends Survey found that 13% of respondents reported having withheld information from their provider because of privacy and security concerns. Privacy concerns can “crash” big data initiatives before they become useful, while the key to success lies in finding the right balance, experts said at a Princeton University event in April 2014. ONC data brief [FierceHealthIT]


US – Apple Fights Order to Unlock San Bernardino Gunman’s iPhone

A debate pitting the government against tech companies has now come to a showdown after Apple CEO Tim Cook announced the company will not comply with a federal court order that it help the FBI unlock the iPhone of one of the San Bernardino shooters. In a win for the government, Magistrate Judge Sheri Pym ordered Apple to provide technical assistance to disable the phone’s password-wipe function — after 10 incorrect password attempts, the phone erases its data — so that authorities could “brute force” the phone’s password. Hours later, Cook announced the company would fight the order. In a message to Apple customers, the company wrote, “This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.” [The New York Times] See also: [Can the FBI Force Apple to Write Software to Weaken Its Software? ] [Why Apple Is Right to Challenge an Order to Help the F.B.I.] [Apple’s Line in the Sand Was Over a Year in the Making] [Who does Apple think it is? ] [Apple Said to Get More Time to Fight Order to Unlock IPhone ] [Why you should side with Apple, not the FBI, in the San Bernardino iPhone case ] [Here’s What The FBI Actually Asked Apple To Do It’s more complicated than it seems.] [No, Apple Has Not Unlocked 70 iPhones For Law Enforcement ] [Apple vs. The FBI: Questions Not Asked ] [Apple vs. the FBI: Facebook, Twitter, Google, John McAfee and more are taking sides ] [Apple backdoor court order being watched in Canada] [Read Apple’s unprecedented letter to customers about security] [Tech Reactions on Apple Highlight Issues with Government Requests] and finally: [In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203 – Order Compelling Apple Inc. to Assist Agents in Search – United States District Court For The Central District Of California

EU Developments

EU – Art WP29 Issues Surveillance Benchmarks

In its statement in response to the announcement of the new EU-U.S. Privacy Shield, the Article 29 WP enunciated “four essential guarantees,” derived from “jurisprudence,” that it is using to assess the protections provided to ensure intelligence surveillance respects fundamental rights. These are:

  1. Processing should be based on clear, precise and accessible rules: This means that anyone who is reasonably informed should be able to foresee what might happen with their data where it is transferred;
  2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: A balance needs to be found between the objective for which the data is collected and accessed (generally national security) and the rights of the individual;
  3. An independent oversight mechanism should exist, that is both effective and impartial: This can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
  4. Effective remedies need to be available to the individual: Anyone should have the right to defend her/his rights before an independent body.

These four standards are almost identical to the essential safeguards under the EU legal order used in the Sidley Austin report, “Essentially Equivalent: A comparison of the legal orders for privacy and data protection the European Union and United States,” as a basis to compare surveillance laws in the United States and eight illustrative EU member states. [IAPP] [Article 29 WP – Statement on the 2016 Action Plan for the Implementation of the GDPR Work Programme | Action Plan]

UK – ICO Launches Tool to Help SMEs Assess Compliance

The UK ICO has launched a self-assessment tool to help small and medium organisations assess compliance with the Data Protection Act. The tool outlines obligations for registration of personal data processing, identification of individuals responsible for development, implementation and monitoring of data protection and information security policies, training of staff and disposal of personal data held; security measures should be established for effective malware defences, logging and monitoring of user and system activity, and detection of unauthorised access or anomalous use. [ICO UK – ICO Launches New Data Protection Self Assessment Tool for SMEs]

EU – Other News:

Facts & Stats

US – California Attorney General Releases Data Breach Report

Over the course of the last four years, the personal records of more than 49 million Californians were put at risk, according to a new data breach report from California Attorney General Kamala Harris. Between 2012 and 2015 there were 657 reported breaches, and three out of five state residents were victims of a data breach in just 2015 alone. The report includes information on the most common types of data breached, explains what types of breaches different industry sectors were most susceptible to, and provides recommendations to reduce the frequency and impact of future breaches. The report articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches, and better protect the public and our national security. The report also includes recommendations for businesses to better protect personal data and maintain “reasonable security.” [Source] [California Data Breach Report February 2016] [California Reports 49 Million Records Breached in Four Years]


CA – Google Appeal of Worldwide Injunction Headed to Supreme Court

The Supreme Court of Canada has agreed to hear Google’s appeal of a worldwide injunction which critics warn could turn B.C. into a destination for ‘censorship tourism’. The tech giant is challenging a B.C. Supreme Court ruling made in relation to a Burnaby-based company’s bid to stop another firm from profiting from the sales of stolen technology. Google was a third party in the litigation, dragged into the case because Datalink relies on web search engines to attract potential customers. Google voluntarily removed 345 links from search results in Canada. But Equustek accused Datalink of playing ‘Whack-A-Mole’ by going international with its listings. Hence the worldwide injunction in 2014 from B.C. Supreme Court Justice Lauri Ann Fenlon. “The courts must adapt to the reality of e-commerce with its potential for abuse by those who would take the property of others and sell it through the borderless electronic web of the internet,” Fenlon wrote. “That (injunction) is necessary … to ensure that the defendants cannot continue to flout the court’s orders.” The ruling, which was upheld by the B.C. Court of Appeal, made headlines around the world. It’s one of a growing body of legal decisions struggling to balance rights and responsibilities of technology companies operating across global boundaries.

In agreeing to hear the case, Canada’s highest court defined those questions as follows:

  • “Under what circumstances may a court order a search engine to block search results, having regard to the interest in access to information and freedom of expression, and what limits (either geographic or temporal) must be imposed on those orders?”
  • “Do Canadian courts have the authority to block search results outside of Canada’s borders?”
  • “Under what circumstances, if any, is a litigant entitled to an interlocutory injunction against a non-party that is not alleged to have done anything wrong? [CBC] [Canadian courts wade into free-speech battle with worldwide injunction against Google]


NZ – Government Made 12,000 Privacy Requests to Just 10 Companies

The New Zealand privacy commissioner revealed that government agencies, including Inland Revenue, Police and Ministry of Social Development made nearly 12,000 requests for citizens’ personal information to only 10 companies from August to October 2015. This information was revealed as part of an Office of the Privacy Commissioner trial transparency program. The OPC further discovered that more than 1,000 information requests were incorrectly labelled as being made under the Privacy Act, which provides no mechanism for government agencies to make requests for personal information. The 10 companies voluntarily complied with the information requests approximately 96 percent of the time, which has left some lawyers and privacy advocates concerned that agencies were misleading companies by using clauses of the Privacy Act to compel sharing of personal information. [NZ Herald]

CA – IPC ON Orders Oshawa to Issue Decision Relating to Email by City Councillor

The Information and Privacy Commissioner in Ontario reviewed a decision by the City of Oshawa to deny access to records requested pursuant to the Municipal Freedom of Information and Protection of Privacy Act. Although the councillor is not an employee of the public body (elected members of a municipal council or not agents or employees of municipal corporations), the record is under the control of the public body; the contents of the record relate to a departmental matter and the public body could reasonably expect to obtain a copy of the record upon request. [IPC ON – Order Mo-3281 – The Corporation of the City of Oshawa]

Health / Medical

US – HHS Releases New HIPAA and Mobile Sharing Guidance

The Department of Health and Human Services’ Office for Civil Rights debuted new scenario-based guidance to help health care providers better understand how to protect patient data and comply with HIPAA on mobile devices. Privacy advocates are pleased. “This guidance is important since some developers still aren’t clear about whether they fall under HIPAA or not — that is, whether or not they are HIPAA-defined business associates,” said The Marblehead Group. The guidance is next in the agency’s “cyber-awareness initiative,” with a manual on HIPAA and cloud computing forthcoming, the report adds. [GovInfoSecurity]

CA – Debate Continues on Ontario Health Privacy Breach Law

A bill proposing to double the fines for violations of Ontario’s Personal Health Information Protection Act was a subject of debate at Queen’s Park in Toronto. Bill 119, the Health Information Protection Act, was tabled Sept. 16 by Liberal Health Minister Eric Hoskins. Among other things, Bill 119, if passed into law, would double the maximum fines for offences, under PHIPA, from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations,” said Indira Naidoo-Harris Liberal MPP for Halton and parliamentary assistant to Hoskins, at Queen’s Park Tuesday. Other changes proposed in Bill 119 “include making it mandatory to report privacy breaches as defined in regulation.” [Canadian Underwriter]

CA – Sask. Residents Can View Their Personal Health Care Information Online

500 Saskatchewan residents were invited to participate in a new pilot program offered by eHealth. The pilot allows residents to view their personal health information online through a secure website. So far, 232 residents have created accounts. The Citizen Health Information Portal (CHIP) pilot will include up to 1,000 participants from across the province. Throughout the six-month trial period, participants can view their personal lab results, immunization history, 25 months of prescription history and hospital visits from anywhere in the world. Participants can add their personal history to the record, including information about allergies and surgeries and medication reminders. Parents can access their children’s health-care information, and travellers can print their health information and take it with them on holidays. [Source] [Saskatchewan patient access to online health records requires big focus on security] [Debate continues on Ontario health privacy breach law]

Horror Stories

US – Ransomware Hits California Hospital

Computer systems at the Hollywood Presbyterian Medical Center in southern California have fallen prey to ransomware. The systems have been offline for more than a week. Employees were not able to access patient files and the hospital declared the situation an internal emergency. The FBI, the L.A. Police Department, and cyberforensics experts are investigating. The attackers have demanded a ransom of 9,000 Bitcoins (approximately US $3.6 million) While the organization is dealing with the attack, its network is offline and “staff are struggling to deal with the loss of email and access to some patient data.” Some patients have also been transferred to other hospitals because of the attack, and registrations and medical records are currently being logged on paper. Meanwhile, a new study by the Cloud Security Alliance and Skyhigh has found that cybersecurity insurance makes companies more likely to pay in ransomware attacks. [CSO Online] [ZDNet] [ComputerWorld] [BBC] UPDATE: [LA Hospital Pays Hackers Nearly $17,000 To Restore Computer Network]

Internet / WWW

US – Google Says it Tracks Personal Student Data, But Not for Advertising

What does Google do with the personal information it collects from children who use Google products at school? Google provided some answers in a seven-page letter to Sen. Al Franken (D-Minn.), the ranking member of the Judiciary Subcommittee on Privacy, Technology and the Law. Google does not use K-12 students’ personal information to serve targeted advertisements, but Google does track data from students for other reasons, including developing and improving Google products. Such tracking happens when students are signed into their Google Apps for Education account but are using certain Google services — such as Search, YouTube, Blogger and Maps — that are considered outside Google’s core educational offerings. Thousands of K-12 schools and universities — and more than 30 million students and teachers — use Google’s Apps for Education, which the company provides to schools free of charge. Franken said that Google’s response was “thorough,” but said he will seek further clarification from Google about some of its privacy policies regarding student data. UC Berkeley students sue Google, alleging their emails were illegally scanned [The Washington Post]

US – 90% of Enterprises in U.S. to Increase Annual Spend On Cloud Computing

A new survey out of the U.S. identifies a cloud computing spending pattern – 90% of respondents say their companies plan to increase or maintain related budgets – that signals a growth opportunity for providers. Cloud service providers are advised to target opportunity in enterprise market, Washington, D.C.-based B2B research firm Clutch suggested in releasing its 2016 Enterprise Cloud Computing Survey last week. [Canadian Underwriter] See also: [Privacy, power concerns drive Canadian data center growth]

Law Enforcement

CA – Group’s Efforts to Review Ottawa Police Sexual Assault Cases Falls Flat

The Ottawa Police Service denied a group’s request to have full disclosure in reviewing sexual assault cases, citing privacy concerns as the main reason. Scassa, a law professor and member of the external advisory committee of the Office of the Privacy Commissioner of Canada, said the (external audit) model could be adopted in Ottawa if the advocates who review cases sign confidentiality agreements. The group that has been lobbying the Ottawa police to adopt the model said they would be willing to do that. “There’s nothing in Ontario privacy law that stops the police here from doing the same thing,” said Scassa. “I think there is a great tendency to use privacy as an excuse for not doing things, or for government institutions to use privacy as an excuse for not doing things they don’t want to do.” [MetroNews]

CA – Ontario Privacy Laws Hamper Social Agencies

The head of a St. Catharines social agency says more missing adults in Ontario could be found if government legislation did not prohibit sharing personal information with family members. “They have rights and responsibilities within the Mental Health Act that precludes us from going and taking them and forcing them into a situation that they’re not comfortable with.” Souter says it is important to respect the privacy of all people, but rules around confidentiality often put an individual at odds with his or her family. [CBC] [Ontario man missing 30 years suddenly remembers own identity] SEE ALSO: [B.C. privacy laws slow efforts to find, compensate children of missing women]


CA – Waterloo Deploys ALPR on Delinquent Parkers

Delinquent parkers beware: it’s going to get a lot harder to dodge a parking ticket if you overstay your welcome in Waterloo’s free parking zones. A new license plate recognition vehicle will begin patrolling the streets in March. The vehicle will use specialized cameras to scan licence plates, capture the GPS coordinates of the vehicle and capture a before and after image of the vehicle’s wheels. It’s an initiative the city has been working on since 2011, said Waterloo’s manager of compliance and standards. Mulhern says part of why it took five years to get the program off the ground was the city’s dedication to ensuring all possible privacy concerns had been addressed. He said the city worked with the privacy commissioner to make sure the system was set up correctly and that data would be stored securely and for no longer than necessary. Labouring over those kinds of details seems to have paid off. When contacted by the CBC, Ontario Civil Liberties Association executive director Joseph Hickey said it appeared the city had addressed privacy concerns, and “therefore this is a minor issue for us.” The city plans to hold an open house Thursday at RIM Park from 12 to 8 p.m. for the public to see the new parking control system and ask questions. [CBC]

Privacy (US)

WW – EY Releases Report on Privacy Trends for 2016

EY has now released a report on privacy trends in 2016, called “Can privacy really be protected anymore?” Of those surveyed, nearly half said they were concerned with having a clear picture of where personal information is stored outside the organization’s systems and services. Additionally, nearly 40% expressed concern that there are not enough people to support their privacy program. “As the onus of accountability shifts from regulators to organizations,” the report states, “organizations need to take heed of where they are in terms of their privacy maturity and what they need to do to make privacy protection part of everything in an organization.” [Source]

US – Tech Company Settles FTC Charges for Installation of Apps Without Consumer Knowledge or Consent

General Workings Inc. entered into a settlement agreement with FTC for alleged violations of section 5(a) of the FTC Act. The company replaced a popular app with its own software program that automatically approved default permissions requests associated with apps that were then installed on consumers’ desktops and mobile devices; the company must delete all consumer personal information in its possession, custody or control, inform consumers of the types of information that will be accessed and display any permissions notice or approval requests prior to installation of the app. [FTC Settlement Agreement with General Workings Inc and Ali Moiz and Murtaza Hussain – File 152-3159] [Press Release] [FTC Complaint]

US — Privacy Owes Much to Attorneys General: Report

The University of Maryland Francis King Carey School of Law’s Danielle Keats Citron argues that state attorneys general are the unsung heroes of developing privacy law in her new research that has been posted to the Social Science Research Network, entitled “Privacy Enforcement Pioneers: The Role of State Attorneys General in the Development of Privacy Law.” In it, she writes, “Accounts of privacy law have focused on legislation, federal agencies, and the self-regulation of privacy professionals,” adding, “Crucial agents of regulatory change, however, have been ignored: the state attorneys general.” According to the SSRN abstract, “this article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general.” [Full Story]

US – Tech firms Unite to Form Cybersecurity Coalition

Seven cybersecurity firms banded together to create the Coalition for Cybersecurity Policy and Law, a group committed to developing an online privacy framework with legislators. Cisco, Intel, Arbor Networks, Microsoft, Oracle, Rapid7 and Symantec are the organizations represented in the coalition, which was “founded on three major principles: stimulating the cybersecurity marketplace; encouraging cybersecurity innovation,” and encouraging other companies to embrace cybersecurity from the ground up. “The members of this Coalition are dedicated to building our nation’s public and private cybersecurity infrastructure, and their insight and engagement must play a vital role in the decisions being made by our government on cybersecurity policy,” said Venable’s Ari Schwartz, who serves as the coalition’s coordinator. [FedScoop]

NZ – Nudist Resort Removes Photos of Judge from Site

An unnamed judge recently spent time at the Pineglades Naturist Club in Rolleston where he was photographed lounging and playing games in the nude. The club had posted photos of the naked judge online for promotional purposes. However, the photos were removed from the club’s website after the newspaper made inquiries into them. The Guidelines for Judicial Conduct warn that a judge attracts more attention and scrutiny than most members of the community, so they should accept some restrictions on conduct and activities. The judge is unlikely to be punished though as there are no disciplinary mechanisms for enforcing the guidelines. [The New Zealand Herald]


US – Cyber Threat Information Sharing Guidelines Released by DHS

This week, the Federal government took the first steps toward implementation of the Cybersecurity Information Sharing Act (CISA), enacted into law last December. CISA aims to encourage sharing of cyber threat indicators and defensive measures among private companies and between the private sector and the Federal government by providing liability protection for sharing such information in accordance with the Act.  The DHS Federal Register notice was published this morning here. As required by the Act, the government has released four pieces of guidance designed to assist companies and Federal agencies with respect to sharing, receiving and handling cyber threat information.

WW – Study: Leaked data quickly gobbled up in the Dark Web

Bitglass’ second annual “Where’s Your Data” study found that within “a few days” of leaking false user data, the information was accessed via the Dark Web in “20 countries and multiple continents.” “In total, the team tracked over 1,400 visits to the fake credentials, in addition to the fictitious bank portal,” the report states. The findings are evidence of the need for companies to properly protect their personal information. “Organizations need a comprehensive solution that provides a more secure means of authenticating users and enables IT to quickly identify breaches and control access to sensitive data.” [ZD Net]

Smart Cars

US – Verizon’s “Hum” Device for Your Car Will Rat Out Speeding Teens, Wandering Spouses

The $15/month Verizon “hum” service was originally launched to collect vehicle diagnostics, connect users to roadside assistance, provide maintenance reminders. But this morning Verizon announced that it will be adding a slew of new features for the hum, including: boundary alerts, speed alerts, vehicle location, and driving history. [The Consumerist] SEE ALSO: [Marc Garneau: Canada’s Senate To Study Rules Surrounding Driverless Cars]


WW – 519070 or Blank: The PINs that Can Pwn 80k Online Security Cams

Researchers say up to 80,000 digital video recorders (DVRs) used to record footage from surveillance cameras employ hardcoded passwords – or don’t use one at all – opening avenues for attackers to breach home and business networks and compromise privacy. In one examination, at least 46,000 DVRs were found open to remote hijacking through a hardcoded firmware username and password. Risk-Based Security chief researcher Carsten Eiram says most of the exposed cameras are operating in the US followed by the UK, Canada, Mexico and Argentina.  [The Register]

Telecom / TV

US – Coalition Calls FCC Set-Top-Box Proposal ‘An Assault’ On Privacy

Privacy advocates continue to criticize the Federal Communications Commission’s proposal for new set-top-box TV guidelines, calling them both “an assault on consumer privacy” and an outlet that lets “privacy scofflaws like Google” obtain greater swaths of user data, the Future of TV Coalition said. While FCC Chairman Tom Wheeler maintains the guidelines would have privacy protections, the advocacy group argues the overreaching consequences are too immense. “The Chairman’s approach creates a gaping hole in consumer privacy where none exists today, and leaves our personal viewing histories at the mercy of vast businesses built almost entirely on mining, exploiting, and profiling our personal data,” the Future of TV Coalition said. [MediaPost] [Lawmakers weigh in on FCC set-top box changes]

US Government Programs

US – Interim Guidelines for Cybersecurity Act Released by DHS

The Department of Homeland Security published interim guidelines that illustrate how the agency will collect data under the Cybersecurity Act of 2015. The act-mandated move was an attempt to assuage critics of the legislation, who fear it will conclude with even more citizen data collected by the agency. “We know many cyber intrusions can be prevented if we share cyber threat indicators,” said DHS Secretary Jeh Johnson. “Sharing this kind of information in real-time, and swiftly applying defensive measures, will allow both the government and private sector to more effectively prevent attacks.” The agency has until June to complete a more formal privacy guideline. [The Hill]

US Legislation

US – Roundup:

Workplace Privacy

US – Bosses Tap Outside Firms to Predict Which Workers Might Get Sick

In an attempt to curb the cost expended for health care, companies like Wal-Mart are employing data mining groups to analyze employee information that identifies those with potential health risks. “Companies say the goal is to get employees to improve their own health as a way to cut corporate health care bills,” the report states, but “privacy experts worry that management could obtain workers’ health information, even if by accident, and use it to make workplace decisions.” [Wall Street Journal] [US: Bosses Harness Big Data to Predict Which Workers Might Get Sick]






08-14 February 2016



CA – OPC Wants Info on Agency Tracking Peaceful Protests

Canada’s privacy watchdog wants more information on a central government agency keeping tabs on peaceful protests. Privacy commissioner Daniel Therrien’s office has asked the Government Operations Centre (GOC) to review its tracking of lawful protest and dissent. The GOC provides 24/7 “situational awareness” for the federal government, and is supposed to help co-ordinate Ottawa’s response to natural disasters or threats to infrastructure. But in late 2014, it was revealed the GOC has collected information on more than 800 peaceful protests, demonstrations and academic panels since 2006. Documents tabled in Parliament in 2014 showed the GOC had information on events like a rally for veterans on Parliament Hill, a public panel discussion in Toronto on the oilsands, and a number of vigils and marches for missing and murdered indigenous women. In June 2014, the Ottawa Citizen reported that the GOC asked government departments for help in compiling a “comprehensive listing of all known demonstrations” across the country. The revelations drew the ire of the Liberals while in opposition. [The Star]

CA – Premier’s Office in Nova Scotia Broke Law, Privacy Czar’s Report Finds

The office of Nova Scotia Premier Stephen McNeil broke privacy laws when chief of staff Kirby McVicar publicly released sensitive medical information about a former cabinet minister, the province’s privacy commissioner says. McVicar resigned Nov. 24 after stating in several media interviews that Andrew Younger had a brain tumour and had been diagnosed with post-traumatic stress disorder. In a report released Thursday, privacy commissioner Catherine Tully concluded that McVicar violated provisions of the Freedom of Information and Protection of Privacy Act. “The report finds that the disclosure is a breach of the privacy rules,” the report says, though there is no mention of penalties or further investigation. McNeil, speaking after a cabinet meeting, challenged Tully’s main conclusion, saying his office was not to blame because McVicar took sole responsibility for his actions. [Source] [CBC: NS OIPC rules premier’s former chief of staff violated law]

CA – Ontario Professionals Obligated to Share Info About “At Risk” Children

The Information and Privacy Commissioner of Ontario has issued a guide for disclosure of information to child protection workers. Individuals with reasonable grounds to suspect a child is need of protection must immediately report the suspicion to a children’s aid society even if the information is confidential or privileged and despite provisions of any other act; institutions and custodians are protected from liability if they act in good faith and do what is reasonable under the circumstances. [IPC ON – Yes You Can – Dispelling the Myths About Sharing Information with Childrens Aid Society]


WW – Gmail Now Warns Users When They Send and Receive Email Over Unsecured Connections

Google is introducing new authentication features to Gmail to help better identify emails that could prove to be harmful or are not fully secure. The company said last year that it would beef up security measures and identify emails that arrive over an unencrypted connection and now it has implemented that plan for Gmail, which Google just announced has passed one billion active users. Beyond just flagging emails sent over unsecured connections, Google also warns users who are sending. Gmail on the web will alert users when they are sending email to a recipient whose account is not encrypted with a little open lock in the top-right corner. That same lock will appear if you receive an email from an account that is not encrypted. Last year, Google said that 57% of messages that users on other email providers send to Gmail are encrypted, while 81% of outgoing messages from Gmail are, too. Another measure implemented today shows users when they receive a message from an email account that can’t be authenticated. If a sender’s profile picture is a question mark, that means Gmail was not able to authenticate them. Authentication is one method for assessing whether an email is a phishing attempt or another kind of malicious attack designed to snare a user’s data or information. [TechCrunch] [Google Gmail Help]


US – Lawmakers Seek to Loosen Encryption on Smartphones

A fight over encryption-protected smartphone data is heating up in California and New York where lawmakers and law enforcement groups are pushing bills to enable investigators to unscramble data to obtain critical evidence in human trafficking, terrorism and child pornography cases. The bills seek to loosen the powerful encryption tools major cell-phone manufacturers have put in place to protect a smartphone user’s privacy and guard against hacking. Supporters argue law enforcement needs access to data that can help them prove or solve criminal cases, while technology and privacy groups are concerned the legislation would put a user’s personal information at risk. [SF Chronicle] [Sen. Feinstein Says Terrorists Only Need The Internet and Encryption To Attack] [US Congress locks and loads three anti-encryption bullets] [Bill Would Ban State Efforts to Weaken Encryption]

US – New Bill Aims to Stop State-Level Decryption Before It Starts

Over the last several months, local legislators have embarked on a curious quest to ban encryption at a state level. For a litany of reasons, this makes no sense. And now, a new bill in Congress will attempt to stop the inanity before it becomes a trend. California Congressman Ted Lieu has introduced the “Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016,” which we’ll call ENCRYPT. It’s a short, straightforward bill with a simple aim: to preempt states from attempting to implement their own anti-encryption policies at a state level. We’ve outlined the reasons that a patchwork of state anti-encryption laws makes no sense before, but it’s worth a quick recap. Lieu himself considers there to be three main issues with allowing government backdoors generally. (He’s also, for what it’s worth, one of four sitting Congressman with a computer science degree). [WIRED]

WW – Report: A Worldwide Survey of Encryption Products

A report from Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar says that mandating backdoors in encryption products would hinder competitiveness for those countries while having little effect on criminals intent on using encryption products that are free of such weaknesses. “Anyone who wants to evade an encryption backdoor in US or UK encryption products has a wide variety of foreign products they can use instead.” [Schneier] [ArsTechnica] [The Register] [NBC News]

EU Developments

EU – WP29 Lays Out 2016 Action Plan for GDPR Implementation

Last week, the Article 29 Working Party published the group’s action plan for the implementation of the General Data Protection Regulation. The Privacy Advisor shares commentary from Falque-Pierrotin during last week’s presser and looks into the official release by the WP29 of its four action plan items, which include the establishment of a European Data Protection Board, preparation for a one-stop shop and consistency mechanism, guidance for controllers and processors, and the creation of an online communication tool around the EDPB and GDPR. [IAPP]

UK – Snooper’s Charter Given Thumbs Up by UK Parliament Report

The UK parliament has published a joint committee report that only feebly challenges the government’s draft Investigatory Powers Bill. In contrast to the scathing report by the Intelligence and Security Committee report published earlier this week, the joint committee accepts nearly all the arguments of the government and intelligence services for wide-ranging and intrusive surveillance powers. In response to the controversy and criticisms of the proposed Snooper’s Charter, the report simply says: “The public debate over these powers is a healthy one, and the Home Office should ensure that it and the security and intelligence agencies are willing to make their case strongly in the months ahead.” In the main, the joint committee calls for only minor tweaking of the plans, but does recommend that a post-legislative review of the Snooper’s Charter should be made five years after it has been enacted. It also wants it to be illegal to ask foreign agencies like the NSA to undertake surveillance that UK intelligence agencies are not authorised to undertake themselves. [Ars Technica] [UK politicians green-light plans to record every citizen’s internet history But recommend that no encryption backdoors should be installed] [Parliamentary Watchdog Savages Snoopers’ Charter: ‘Inconsistent and largely incomprehensible’]

EU – Facebook Ordered to Stop Tracking Non-Users in France

In a 16-page ruling issued this week, France’s CNIL found fault with data collection by Facebook at its own site, and at the sites of outside publishers with “Like” buttons. “While the purpose claimed by the company may seem legitimate (ensuring the security of its services), collecting data on browsing activity by non-account Facebook holders on third-party websites is carried out without their knowledge.” The regulator also said that Facebook violates EU privacy law by placing cookies on the computers of visitors to without first obtaining their consent. Last year, authorities in Belgium also ordered Facebook to stop tracking non-users. Several weeks later, Facebook began preventing non-account holders in Belgium from accessing In the past, anyone in that country could access many Facebook pages found through search engines, including pages for small businesses, sports teams, celebrities and tourist attractions. The CNIL also said in its ruling that Facebook can’t send data about EU citizens to U.S. servers, due to a ruling last October that invalidated an agreement that enabled the data transfers. While EU and U.S. authorities recently negotiated a new agreement, it has not yet been finalized. [MediaPost] [French data privacy regulator cracks down on Facebook]

UK – UK and US Negotiating on Wiretap Orders and Warrants

US and UK negotiators are working toward an agreement that would allow MI5 to serve US companies with wiretap orders for communications of British citizens in counterterrorism investigations. The arrangement would also allow Britain to serve orders for stored data. The draft proposal would allow MI5 to access data stored on overseas computers that are run by American organizations. The proposal would allow US intelligence the same access in the UK. [The Register] [Wash Post]

Facts & Stats

UK – Data Breaches led 3 Million Brits to Switch Service Provider

In the UK, three million Brits have changed service providers as a direct result of data breaches, according to new research a by Privitar. Concerns over how personal data is stored, used and ultimately protected have led to growing discomfort among consumers, with findings suggesting that perceptions about how well organizations safe-guard their data is a significant consideration when customers are choosing a service. Despite this, more than half (52%) of the 2018 adults surveyed admitted that they struggle to find out how their data is stored and used by companies. With the GDPR due to be implemented across the industry in the coming months it appears companies are faced with the challenge of acting on data privacy and protection to win customer trust, thus avoiding customer churn. After all, 83% of respondents said they would look to switch to another service if they felt it could manage their data better.  [Infosecurity]


EU – Google to Scrub Web Search Results More Widely to Soothe EU Objections

Google will start scrubbing search results across all its websites when accessed from a European country to soothe the objections of Europe’s privacy regulators to its implementation of a landmark EU ruling, a person close to the company said. To address the concerns of European authorities, the Internet giant will soon start polishing search results across all its websites when someone conducts a search from the country where the removal request originated, a person close to the company said. That means that if a German resident asks Google to de-list a link popping up under searches for his or her name, the link will not be visible on any version of Google’s website, including, when the search engine is accessed from Germany. [Reuters] [New York Times] [Google to honor RTBF requests worldwide, for European users]


UK – National Financial Crime ‘Taskforce’ Launched

The UK’s largest retail banks have joined forces with the Home Office, Bank of England and police to develop a coordinated approach to tackling fraud. Project Sunbird, a collaboration between the Western Australian Police and Western Australian government’s Department of Commerce, is able to analyse international transaction data to detect patterns consistent with fraud and pro-actively reach out to individuals who may have been victims. The new Joint Fraud Taskforce’s early work will focus on improving intelligence-sharing between the financial sector, government and law enforcement, in order to prevent fraudsters from exploiting gaps and vulnerabilities. It will also help to raise public awareness through a list of the 10 ‘most wanted’ fraudsters, and work to establish “a much richer understanding of how fraud happens, and what can be done to stop it”, according to the UK home secretary. Members of the taskforce include the City of London Police, National Crime Agency, the Bank of England, fraud prevention body Cifas, from Financial Fraud Action UK (FFA UK) and the chief executives of the major banks. The new taskforce will report to the Home Office, as well as publishing public updates, the home secretary told MPs. [Source]


CA – Senate Bill Prohibits Employers from Taking Disciplinary Action for Employee Refusal to Disclose Genetic Test Results

Bill S-201, An Act to Prohibit and Prevent Genetic Discrimination has received second reading and been referred to the Standing Senate Committee on Human Rights. An employee’s refusal to undergo or disclose the results of a genetic test cannot be used to dismiss, suspend, demote or lay off an employee, impose any penalty on an employee, refuse remuneration, or threaten to take disciplinary action against an employee; no individual can disclose to an employer that an employee had undergone a genetic test or the results of an employee’s genetic test without written consent. [Bill S-201 – An Act to Prohibit and Prevent Genetic Discrimination – Senate of Canada]

Health / Medical

CA – Insurance Company Offers Rebates for Healthy Lifestyle

A Canadian insurance company is set to offer a new insurance program that rewards policy holders for healthy lifestyle choices such as regular exercise, getting an annual health screening or a flu shot. Ontario-based insurance giant Manulife is partnering with Vitality Group to bring the program to Canada, after rolling out similar systems in parts of Africa, Asia and the United States. The company said sign-up process is similar to many insurance policies, in that applicants take an online test to determine their level of overall health and then are offered a premium. Policy holders who enroll in the program receive personalized health goals and can log their activities using online and automated tools, which are integrated with the latest wearable fitness-tracking technology such as Fitbit, Manulife said. Officials at the Office of Canada’s Privacy Commissioner said while they have not studied the insurance product offered by Manulife, they would encourage people to carefully consider the potential implications before sharing any personal information – especially sensitive information. [Source]

US – Privacy Advocates Left Out Of NHS Care.Data ‘Oversight’ Board

Privacy advocates have been secretly expelled from the NHS’s discussions group, while lobbyists backed by biotech corporations have kept their places at the table. The Advisory Group was established in March 2014, after the scheme’s first collapse, as part of a process to get – which intends to centralise patients’ health and social care data so it can be packaged and sold to private corporations – up and running again. A recent study into the scheme carried out by the University of Cambridge found that was “launched in a contradictory regulatory landscape” and wracked with “unrealistic expectations” regarding the potential for patient health and social care data to be sufficiently anonymised when shared. [The Register]

US – Administrative Law Judge Affirms OCR Authority to Enforce HIPAA

An administrative law judge has upheld the authority of the Office for Civil Rights of the Department of Health and Human Services to enforce HIPAA regulations and impose fines, the second time a judge has made such a ruling in OCR’s favor. The decision means Lincare, a healthcare provider of respiratory care, infusion therapy and medical equipment to in-home patients, will have to pay $239,800 in civil money payments for an incident in which patient records were left unsecure. In the case, OCR charged that a Lincare employee took 278 patient records home and later left the records in the house after moving to live elsewhere. Another person who had lived in the home with the employee later found the records. An OCR investigation found that Lincare employees, who provide healthcare services in patients’ homes, regularly removed patient information from the company’s offices. “Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time,” the agency reported. “Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and procedures and strengthen safeguards to ensure compliance with the HIPAA rules.” OCR reported that Lincare denied violating HIPAA, contending that patients’ protected health information was “stolen” by the individual who found the records in the home. In the ensuing court case, the administrative law judge ruled that Lincare was obligated to take reasonable steps to protect PHI. [Source] [Press Release | Notice of Proposed Determination | Decision]

Horror Stories

CA – Thermal Imaging May Lower Power Bill, But Raises Privacy Concerns

The City of Vancouver is beginning a new program that uses thermal imaging to identify older homes that are using excess energy. WATCH: Thermal imaging has been helping homeowners figuring out where they’re losing heat, so they can reduce their power bill, but it’s also adding concerns about a possible invasion of privacy. Beginning in April, the plan is to take images of up to 15,000 homes and then work with about 3,000 homeowners to make their spaces more green, by offering consultation and incentives. Higgins says the cameras can only detect heat, and the photos will only be shared with the homeowner. Once the 18-month pilot project is over, the images will be destroyed. [Global News]

US – Thieves Steal Tax Information from the IRS

The Internal Revenue Service was the target of an attack that used stolen social security numbers and other taxpayer data to obtain PINs that can be used to file tax returns electronically. The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address. Attackers attempted to obtain E-file PINs corresponding to 464,000 unique SSNs using an automated bot, and did so successfully for 101,000 SSNs before the IRS blocked it. The personal taxpayer data used during the attack was not obtained from the IRS, but was stolen elsewhere, the agency said in a statement. The IRS is notifying affected taxpayers via mail and will monitor their accounts to protect them from tax-related identity theft. [Source]

Internet / WWW

UK – Privacy Watchdog Warns That IoT Devices Can Track People

The UK ICO has told manufacturers of Internet of Things devices they should make better attempts to notify people that data could be collected on them. Simon Rice, technology group manager at the ICO, said that the IoT industry has to comply with data protection when collecting personal data. There could arguably be some confusion over what constitutes personal data and Rice set out a few examples of where data is personal and where it isn’t. What definitely is personal data are Mac addresses used in smartphones. “An IPv6 address could be personal as it would be specific to that device,” he said. He added that even if individual identification is not the intended purpose, the implications of IoT for privacy and data protection are still significant. [Source] See also: [IoT Could Be Used To Spy, Admits James Clapper] and [US intelligence chief: we might use the internet of things to spy on you]

WW – Data Security Concerns Remain Top Obstacle to IoT Initiatives

Despite the rapid growth of the Internet of Things, concerns over data security remain the number one obstacle to further development. That is the conclusion of a recent study by TEKsystems on the state of Internet of Things (IoT) initiatives. More than 200 IT and business leaders were polled by the Hanover, MD-based firm on project ownership, implementation status, risks, required skill sets and organizational preparedness. The purpose of this survey was to gain a better understanding of how organizations are being impacted by IoT, steps they are taking to prepare, resource barriers and challenges, as well as long-term IoT objectives. Key findings from the study are:

  • While 55% expect IoT initiatives to have a ‘transformational’ or ‘significant’ impact
    – just 22% of IoT initiatives have progressed to the implementation stage.
  • Information security and ROI are cited as the biggest hurdles to address
    – and information security experts are cited as the most difficult skill set to find.
  • Leadership of IoT initiatives still mostly reside with IT.
  • Two-Thirds expect IoT projects to be handled with internal staff, yet most organizations are not highly confident in their “in-house” preparedness [Source]

WW – IoT from “Sensor-to-Insight” to “Sensor-to-Action”

A few months ago, we passed an important milestone: For the first time in history, the mobile network traffic between machines had a higher volume than the mobile network traffic between humans. Imagine that… Internet-of-Things traffic surpasses the traffic generated by selfies, pictures of cute cats, text messages as well as all voice traffic in our mobile networks! Internet-of-Things has been a hot and exciting topic for quite a while, but now we see an important development that accelerates the IoT revolution: For a long time, the most common application for IoT has been to collect data. Sensors on various devices and machines have generated data, we have used clever technology to gather this data, send it to some central system and make sense of it. Let us call it “from Sensor to Insight”. What we see now is that we still gather data from remote devices and sensors, but the data can be used to trigger action. To execute business processes. Or influence already running processes. The focus of Internet-of-Things is moving, from “Sensor-to-Insight” to become “Sensor-to-Action”. [Source] See also: [FTC in no rush to regulate Internet of Things] See also: [Visceral data: After heartbreak, IoT devices give us ‘something to show’ ]

WW – GSMA Unveils IoT Security and Privacy Guidelines

The GSMA released guidelines designed to promote secure Internet of Things (IoT) service development and deployment, a sign that the mobile industry acknowledges a growing cybersecurity threat, as well as burgeoning consumer wariness around data privacy and IoT. The document was developed through consultation with the mobile industry. The rapid growth in IoT take-up increases the possibility of potential vulnerabilities, according to the GSMA. “These can be overcome if the end-to-end security of an IoT service is carefully considered by the service provider when designing their service and an appropriate mitigating technology is deployed.” The guidelines have been designed for all participants in the IoT ecosystem including service providers, device vendors and developers. As well as helping providers to build secure services from the outset, the guidelines also establish the need for assessing the risk of all components in an IoT service to ensure they are designed for secure data collection, storage and exchange. The guidelines went through a consultation with academics, analysts and other industry experts. [Mobile World]

Law Enforcement

US – New Report Shows the Limits of Police Body Cameras

The Brennan Center has just completed a study of the body camera policies in the 24 police departments around the country [PDF version] that have so far implemented them. Of the 24, 9 programs are still in the pilot stage. For comparison, the Brennan Center also included three model programs from the ACLU, the International Association of Chiefs of Police, and the Police Executive Research Forum. The authors of the study then broke the policies down into several charts, “Recording Circumstances,” “Privacy and First Amendment Protections,” “Accountability,” “Retention and Release,” and “Security.” [Wash Post] See also: [Survey: Almost All Police Departments Plan to Use Body Cameras] and [A separate effort by the Leadership Conference on Civil and Human Rights, a coalition of different advocacy groups, is tracking implementation of recommended body camera polices across 25 police departments].SEE ALSO: [Missouri Bill Permits Access to Recordings from Law Enforcement Body Worn Cameras: House Bill 2344, relating to body worn cameras and amending Missouri Revised Code in relation to public records, is introduced and read for a second time]

US – Nebraska Bill Permits Govt Use of ALPR Systems Subject to Restrictions

Legislative Bill 831, the Automatic License Plate Reader Privacy Act, is introduced and referred to the Judiciary Committee. Captured license plate data may only be used by specified law enforcement agencies for specified purposes (e.g. traffic violations, missing persons, stolen vehicles, criminal investigations, electronic toll collection, and controlling access to secured areas); law enforcement may only process privately held plate data no more than 14 days old and subject to a criminal warrant or court order. [Legislative Bill 831 – Automatic License Plate Reader Privacy Act – 104th Legislature of Nebraska]

Other Jurisdictions

WW – Privacy Bar Section of the IAPP Unveiled

IAPP has announced the launch of its Privacy Bar Section, which aims to serve the lawyers that compose more than forty percent of IAPP’s membership. In conjunction, the IAPP has also applied to the American Bar Association to have its privacy certification officially recognized as a legal specialty. [IAPP]

Privacy (US)

US – Obama Establishes ‘Cyber Czar’ and New Privacy Board

President Barack Obama is asking Congress to devote $19 billion to cybersecurity and is issuing new executive orders geared at the protection of both government and private computer networks. In one executive order, Obama directed agencies to implement the Cybersecurity National Action Plan. The CNAP is the broad plan that includes establishing the office of a federal chief information security officer, making budget requests and focusing on training opportunities. The federal chief information security officer marks the first time a senior official will be dedicated solely to developing, managing and coordinating the government’s cybersecurity strategy across multiple agencies, a “cyber czar” of sorts. A separate executive order will create the Federal Privacy Council, which is a multi-agency task force charged with coming up with policies to help the government fight hackers or identity thieves, while also protecting the privacy of individuals. The privacy council will report directly to the president. [The Blaze] [White House Executive Order on Privacy Falls Short]

US – ACLU, Tenth Amendment Center Take on Student Data Privacy

In consultation with the center — a think tank that advocates strict limits on federal power — the ACLU wrote model legislation that both organizations are urging legislators around the country to support. Parts of the bills aimed at bolstering student-privacy protections were written to ensure that “schools don’t become a Constitution-free zone,” and that companies that want to collect student data must first get explicit permission. Over the past two years, 32 states have enacted some sort of data-privacy law, according to the Data Quality Campaign. Some of those laws have been sweeping, such as California’s Student Online Personal Information Privacy Act, which has drawn particular praise from privacy advocates. Other laws are much weaker, experts say. To work around a lack of movement at the federal level over data-privacy protections for students, the activists and lawmakers working with the two organizations are calculating that if they get enough states to adopt a stricter slate of privacy expectations for vendors, companies will have little choice but to raise their standards to a level nationally that would allow them to work in any state. Tthe proposed legislation focuses on stepping up safeguards in four specific areas:

  • Parental or student consent to release student data for noneducational purposes or to third parties;
  • Limits on information that can be gleaned from computing devices loaned to students;
  • Protections from warrantless searches of students on campus; and
  • Restrictions on access to student postings that are behind privacy settings on social media.

The model legislation also calls for professional development to help teachers familiarize themselves with basic student-data-privacy concepts. The Future of Privacy Forum — a Washington-based think tank and a co-author of the Student Privacy Pledge, a commitment by ed-tech companies to safeguard data — offered a measured endorsement of the provisions in the ACLU’s model bill. [Source] See also: [Senate Bill 2171 – Student Privacy in Take-Home Technology Programs – State of Rhode Island General Assembly]

US – ACLU publishes updated privacy guide

The ACLU of Southern California announced its publication of the third edition of “Privacy and Free Speech: It’s Good for Business,” the organization reports on its website. The guide includes “more than 100 case studies and cutting-edge recommendations on everything from privacy policies to security planning to community speech standards,” the report states. “By following some pretty simple steps to incorporate privacy and free speech protections into products, businesses can make their services user friendly and avoid costly mistakes,” the report continues. “As the primer illustrates, doing so is not just good on principle — it’s good for business, too.” The primer is available for free online. [ACLU]

Privacy Enhancing Technologies (PETs)

WW – Britain’s First Anonymous Search Engine

Oscobo is the only UK-based Privacy Search Engine that does not track or store users’ data. The company was founded on the belief that personal data should remain just that, personal, and has set out to turn the tables to favour the Internet user instead of serving interests of big companies. This article will highlight the importance of understanding how user data is being tracked and used by search engines, and how using an anonymous option has clear benefits. [Source]


EU – NIS Directive Establishes First EU-Wide Cyber Security Rules

In December 2015 the EU institutions came to an agreement on the Network and Information Security Directive, establishing a set of EU-wide rules on cyber security for the first time; formal adoption of the Directive by the European Parliament and the Council of the EU is pending at the time of publication. For those businesses that fall under its scope, such as search engines and cloud computing providers, the advent of the NIS Directive will mean that incident handling and notification will take on a more serious role than previously, and numerous security obligations will need to be satisfied. [FieldFisher Privacy Law Blog]

WW – Firms Feel More Confident In Ability to Thwart Data Breaches: Study

A majority of organizations believe they will be more secure against data breaches in 2016, despite the fact that nearly three-quarters of organizations experienced a security threat last year. Why the seeming disconnect? A growing number of organizations are investing in more advanced security solutions and are ramping-up end user training around data security best practices. Those are among the findings of the recent study “Battling the Big Hack“ from Spiceworks, which looked at IT professionals’ perceptions of the biggest IT security threats and the steps they’re taking to prevent security incidents and breaches within their organizations. The study found that while 80% of organizations experienced a security incident in 2015, 71% of IT professionals expect their organizations to be more secure in 2016. There is also good news in the study. “In order to protect end users from breaches on various devices in the workplace, 73% of IT professionals are enforcing end-user security policies and 72% are regularly educating their employees through lessons on topics such as ‘how to avoid malware’ and ‘how to spot phishing scams,’ the study noted. [Source]

WW – Infosec Pros Still Pressured to Release Unsecure Projects: Survey

Despite an increase in the number of data breaches last year infosec pros say they continue to be pressured by the business side to release projects that aren’t fully secure, according to an international survey. The survey, paid for by Trustwave, showed that 77% cent of respondents in five countries — and 7% of Canadians — felt either frequent or periodic pressure to roll out IT projects that weren’t security ready. The good news is that the majority agreed it was once or twice rather than frequently. However, if a bug slips by that could be once too many. Released this week, the survey questioned 1,414 in-house information security professionals from around the world including 210 from Canada. Others were in the U.S., Britain, Australia and Singapore. [IT World Canada]

WW – Removing Administrator Rights Mitigates Most Windows Vulnerabilities

According to a recent report, 85% of critical vulnerabilities in Windows last year could have been mitigated by eliminating administrator rights. Nearly all critical flaws affecting Internet Explorer (IE) could have been mitigated with the same action. [ZDNet] See also: [2009 report states that 92% of critical vulnerabilities would be mitigating by reducing the privileges for users on their systems] and [this guide from the NSA in 2013 also recommends reducing the use of local admin accounts. The use of local admin accounts is a prime example of how ease of use wins out over security. Microsoft has published some guides on how to manage this issue. [TechNet] [Technet]

US – DHS, FBI Employee Data Exposed

Someone posted personal information that seems to cover more than 9,000 US Department of Homeland Security (DHS) employees and 20,000 FBI employees online. The self-proclaimed attacker said that the information was taken from a Department of Justice (DOJ) computer using a compromised DOJ email account. [CNET] [DarkReading] [The Hill] [The Hill] [ComputerWorld] []

Smart Cars

EU – European Multi-Stakeholder Group Releases Connected Vehicles Report

In December 2015, a multi-stakeholder group called “C – ITS Working Group 6” created in the context of the ITS and eCall working groups published a report on the possible ways that access might be granted to the data generated by connected cars. European Regulation 758/2015 requires the development of an “interoperable, standardized, secure, open-access platform” for the sharing of data. Originally, the work regarding the data sharing platform was related to the eCall directive, which requires cars to be equipped with communication devices that automatically communicate with emergency services in the event of a serious accident. However, Regulation 758/2015 mandates interoperable, standardized, secure, and open access platforms in the broader context of connected car data, including access to telematics data. [Source]


US – Dstillery Uses Iowa Caucus Data to Paint Voter Picture

In a Marketplace report, “data intelligence” and targeting ad firm Dstillery CEO Tom Phillips discusses how the organization employed data analysis technology to find correlating voter traits from participants in the Iowa caucus. “We watched each of the caucus locations for each party and we collected mobile device ID’s,” Phillips said. “It’s a combination of data from the phone and data from other digital devices.” The result? “NASCAR was the one outlier, for Trump and Clinton,” Phillips said. “In Clinton’s counties, NASCAR way over-indexed.” While Dstillery has only taken a look at Iowa voters, it “anticipates compiling voter data in other primaries” depending on candidate interest, the report states. [Source]

US Government Programs

US – White House Plots Privacy Updates for 2016

Marc Groman, who advises the White House on privacy issues, is focusing on delivering fundamental changes to privacy policy in government operations, including IT, in the next 11 months before President Barack Obama leaves office. “Privacy is not a subset of cybersecurity or IT,” said Groman, senior adviser for privacy at the Office of Management and Budget, during a Department of Homeland Security Data Privacy and Integrity Advisory Committee presentation on Feb. 8. “It has to move with those, but it needs its own council.” He was referring to the Federal Privacy Council, which was announced in December 2015 by OMB Director Shaun Donovan. It will be modeled on the CIO Council and will seek to bolster privacy best practices and operations in the federal government. The council will also try to capitalize on individual agencies’ advances in privacy policy, transform those strategies from reactive to proactive and “professionalize” privacy roles in the federal government, Groman said. “We want to shift from an environment of one-time compliance to one of ongoing risk-based” management that incorporates continuous reevaluation of privacy plans, he added. [FCW]

US Legislation

US – Senate Passes Privacy Bill Key to Two International Agreements

The Judicial Redress Act, which gives EU citizens the right to challenge misuse of their personal data in U.S. court has long been a stated requirement of the umbrella agreement, which would allow the U.S. and EU to exchange more data during criminal and terrorism investigations. Its role in the final approval of so-called Privacy Shield, struck last week, is murkier. The deal replaces a 2000 agreement that permitted some 4,400 U.S. firms to legally handle European citizens’ data, struck down by the EU high court in October over privacy concerns. The bill is also a prerequisite of a law enforcement data-sharing “umbrella” agreement reached last fall. [The Hill] See also: [Judicial Redress Act Would Extend Privacy Act Remedies to Citizens of Designated Foreign Nations] [Senate, House OK Judicial Redress Act, send to Obama to sign] [Laws to give EU citizens right of redress in the US over data handling move closer]




01-07 February 2016


EU – Revised Edition of Biometric Privacy Guidelines Now Available*

The Biometrics Institute has completed revisions on its Biometrics Privacy Guidelines, Biometric Update reports. The guide is a document comprising 16 principles that assist users “across many different countries and jurisdictions,” considering that “biometrics and information technologies do connect beyond national boundaries and across different fields as diverse as health records, border controls, retail, consumer based applications in the telecommunications industry, finance and banking and driver’s licenses,” the report states. “It is the public’s assurance that the biometric managers have followed best practice privacy principles when designing, implementing and managing biometric based projects,” said Biometrics Institute CEO Isabelle Moeller on the guide’s update. The resource is only available to Biometrics Institute members. [Biometric Update] [Biometrics Institute Issues Privacy Guidelines] * To Biometric Institute Members only

WW – New App Employs Selfies to Help Users Find Pictures of Themselves

Waldo, a free app hitting iPhones this spring, utilizes a selfie and location data to find other pictures of the user that have been uploaded to the service. It primarily scours public events, like concerts, for pictures of users, alerting them when it finds their photo elsewhere. The technology has already garnered comparisons to Facebook’s Moments app. However, Waldo’s CEO maintains that the app is aimed toward simplifying a user’s social media experience. “We’re going to make it really painless to get those so you’re not constantly nagging and saying, ‘Hey, will you text me that photo from that party the other night?’“ [MIT Technology Review]


CA – Ontario Court Expands Scope of Privacy Tort to Include ‘Revenge Porn’

A recent ruling that found a man financially liable for posting a private sex tape of a former girlfriend online is being hailed as a case that is the first of its kind in Canada. Experts are calling the decision a win, which makes sense given we live in an age where there is a rapidly climbing sensitivity to victimization of all kinds, particularly in social media. “Personal and private communications and the private sharing of intimate details of person’s lives remain essential activities of human existence and day to day living. To permit someone who has been confidentially entrusted with such details — and in particular intimate images — to intentionally reveal them to the world via the Internet, without legal recourse, would be to leave a gap in our system of remedies,” said the ruling. “I therefore would hold that such a remedy should be available in appropriate cases.” [Source]

CA – Tax Agency Staffer Gone After Taxpayer Data Leaks to CSIS

No one’s saying much about what happened and who’s been held accountable for several breaches of taxpayer privacy at the Canada Revenue Agency. The privacy breaches came to light last week in the annual report of the watchdog for CSIS, Canada’s spy agency. The report described how intelligence officers, repeatedly and without a warrant, improperly obtained taxpayers’ information. Canada Revenue Agency has confirmed that an employee implicated in a leak of taxpayer information to CSIS is no longer with the tax agency. When CRA was asked what happened on its side, and whether anyone has been fired or disciplined, a spokesman responded, “The employee is no longer with the agency (…) For more information about the incident, please contact CSIS.” A follow-up question about whether the former employee had taken the well-worn path of resigning or retiring before being fired, prompted a politely worded response from Brideau that the agency won’t be able to provide such details. The public may learn more if Canada’s Privacy Commissioner decides to investigate. [Source] [CRA doesn’t even know what taxpayer information it shared improperly with spy agency]


US – How You Handle Data Privacy, Security Is Key to Customer Loyalty

How your organization handles issues related to data privacy and data security will have an enormous impact on the willingness of consumers to do business with you. That is one of the key findings of a new study by New York-based Morrison & Foerster. The firm has just released the results of its latest consumer survey on privacy. The survey, “Morrison & Foerster Insights: Consumer Outlooks on Privacy,” examines the attitudes and concerns that U.S. consumers across the country have regarding multiple privacy-related issues, such as the disclosure of personal information, data breaches, and privacy policies. The study results offer some important lessons for IT and data professionals. “The findings indicate that a significant percentage of the American people continue to be concerned about numerous facets of security.” [Source] [MoFo]


UK – Communication Providers Should Not Have to Decrypt Messages: MPs

The UK Science and Technology Committee, which has assessed the technical feasibility of the draft Investigatory Powers Bill, said, though, that the new laws should allow intelligence agencies to request that communication providers decrypt data they have encrypted “in tightly prescribed circumstances”. New UK surveillance laws should not impose obligations on communication providers to decrypt messages sent over their networks if they have not added the encryption to those messages, a committee of MPs has said. Giving evidence in December to another parliamentary committee that is scrutinising the Bill, Vodafone raised concern about provisions of the draft laws that would force communication network operators to decrypt communications sent over their networks via other communication services, like Skype and WhatsApp, if requested to do so. In its report, the Science and Technology Committee said that there is a lack of clarity in the current draft of the Bill with how some terms are defined as well as over “the extent to which ‘internet connection records’ (ICRs) will have to be collected” by communication providers. [Source]

EU Developments

EU – The “Privacy Shield” Faces an Uphill Battle

This week, European VP Andrus Ansip and Commissioner Vera Jourová announced that the EU Commission had approved a political agreement on what will henceforth be known as the “EU-US Privacy Shield.” Over the coming weeks they will have to draft a fresh EU Commission adequacy decision to replace the previous “Safe Harbor” decision, which the Court of Justice of the European Union found invalid in Schrems. There is already speculation that the validity of this new decision will itself be challenged in the CJEU; as much is clear from discussions in the European Parliament the night before. So Ansip and Jourová will need to draft as robust a decision as they can, if that decision is to withstand review by the CJEU. [IAPP] [How sturdy is the Privacy Shield?] [FTC, DoC answer Privacy Shield questions] [EU DPAs respond to Privacy Shield; BCRs are a go, for now] [EU-US Privacy Shield scrutinized in Article 29 Working Party initial response] [Deal on EU-US Privacy Shield leads EU watchdogs to extend moratorium on data transfers enforcement action] [EU-US Data Transfers Won’t Be Blocked While Privacy Shield Details Are Hammered Out, Says WP29] [Privacy Shield mauled by European tech suppliers but successor to Safe Harbour agreement cheered by US firms] [FTC Commissioner Julie Brill comments on EU-US Privacy Shield] [What businesses need to know about Privacy Shield] [The EU-US Privacy Shield. Not quite there yet!]

UK – Investigatory Powers Bill Loopholes Will Lead to Unbridled Surveillance

The House of Commons Science and Tech Committee has published its report on the draft Investigatory Powers Bill, influenced by comments submitted by 50 individuals, companies, and organizations. The report is the first of three investigations by different Parliamentary committees. While it was intended to concentrate on the technological and business ramifications of the bill, their conclusions reflect the key concern of lawmakers, companies, and human rights groups about the bill’s dangerously vague wording. The Investigatory Powers Bill, as written, is so vague as to permit a vast range of surveillance actions, with profoundly insufficient oversight or insight into what Britain’s intelligence, military and police intend to do with their powers. It is, in effect, a carefully-crafted loophole wide enough to drive all of existing mass surveillance practice through. Or, in the words of Richard Clayton, Director of the Cambridge Cloud Cybercrime Centre at the University of Cambridge, in his submissions to the committee: “the present bill forbids almost nothing … and hides radical new capabilities behind pages of obscuring detail.” The series of successful challenges in the UK and EU against previous surveillance law and practice shows that vague and unbounded language cannot survive a serious challenge in the courts. If the UK government wants its surveillance rules to stand the test of time, it needs to build them on a firm foundation of clarity, necessity, and proportionality. [Source]

EU – Companies Subject to Multiple EU Data Protection Regimes: Watchdog

Companies that are operational in multiple EU countries can be forced to comply with each of the different national data protection laws that apply in the countries in which they operate, according to new guidance. The Working Party’s guidance also explained how EU data protection laws can apply to non-EU based companies, even if they process personal data outside of the EU. In this context the guidance expands on a 2014 case involving internet giant Google in which the CJEU ruled that Google was subject to Spanish data protection laws despite the company not processing any personal data in the country. The CJEU assessed the fact that Google had a Spanish subsidiary based in Madrid that promoted and sold advertising space for its search service when arriving at its decision. [Out-Law]

Health / Medical

US – Obama: ID Theft Victims Should Have Access to Thieves’ Medical Records

The Obama administration says those who’ve had their identities stolen have the right to review and correct their medical records and also have the right to look at the medical records of those who stole their records. To date, it’s been difficult at times for victims of ID theft to correct their records because they haven’t been able to access the thieves’ medical data because of health care privacy laws. The Senate Health, Education, Labor and Pensions Committee has been looking at ways to help victims of medical identity theft, and the Obama administration — recently criticized by Republicans for not doing enough on the issue — outlined the policy in a letter to the committee. [Wall Street Journal] [FierceHealthIT]

ON – Hospital Improperly Refused to Disclose PHI Because They Consist of Mental Illness Records: IPC ON

This IPC decision reviews the Halton Healthcare Services’ handling of a request for disclosure of health information pursuant to the Personal Health Information and Protection Act. The hospital, which must re-exercise its discretion, relied on irrelevant considerations in deciding against disclosure, such as the fact that there was an the absence of “specimens” and the records are about mental illness; some mental illnesses seem to run in families and it is possible that the PHI may be relevant to health care decisions by family members. [IPC ON – PHIPA Decision 21 – Halton Healthcare Services]

CA – OIPC BC Determines Public Body Did Not Follow Privacy Policies

The BC Office of the Information and Privacy Commissioner investigated the Ministry of Education for failure to protect personal information in its custody. A hard drive containing student personal information (i.e. names, dates of birth, gender, financial aid data, special needs, health and behaviour issues and personal education numbers) went missing; the Ministry should conduct mandatory training with periodic refresher courses, maintain an accurate inventory of personal information assets and store mobile storage devices in a government-approved facility. [OIPC BC – Investigation Report F16-01 – Ministry of Education] See also: [Privacy breach in B.C. points to need for policies in Yukon: commissioner]

UK – Health Care Breaches on the Rise

Healthcare is responsible for more data breaches than any other UK sector, and the number of cases is rising fast. There were 734 instances in 2014, and year-on-year numbers doubled from April-June 2013 to the same quarter the following year. UK trends could be set to follow those of the United States, where 91% of healthcare organisations have suffered at least one data breach in the past 2 years, and 40% have suffered more than 5 incidents. More importantly, mistakes and negligence are no longer the principle cause: criminal attacks on the healthcare sector have increased by 125% since 2010. Hackers can also steal far more information than is usually lost in error: the recent attack on Excellus is believed to have involved up to 10 million individual records. [Source]

Horror Stories

US – Health Insurer Loses Hard Drives with 950,000 Medical Records

Health insurer Centene Corp. is hunting for six computer hard drives containing the PHI records of about 950,000 individuals, the company said Monday afternoon. The drives were being used in a data project that sought to utilize lab test results to improve members’ health outcomes. The records on the missing drives include individuals’ names, dates of birth, Social Security numbers, member ID numbers and unspecified “health information.” [Source]

Identity Issues

CA – BCCLA Raises Privacy Concerns Over Compass Card Tracking

The BC Civil Liberties Association is warning the public about a possibility of a privacy breach for people using Compass Cards. BCCLA claims it is possible to track travel history by simply obtaining a person’s Compass Card. The BCCLA says they are concerned about abusive partners, stalkers or police abusing the system to track someone’s movement. The BCCLA is recommending people pay cash for the card or use cash to buy single-use Compass tickets if they want to make sure their name is not linked to a travel itinerary.[Source]

Internet / WWW

WW – The Case for Ethical Standards in (Big Data) Analytics

A paper by Carnegie Mellon researchers raised a red flag about the analytics behind Google job search ads, revealing that Google’s analytical modeling serves ads for a career coaching service for higher-paying jobs to men more frequently than it does to women. Other research and publications have also pointedly raised concerns and risks regarding the perils associated with breaches or questionable use of data. [Source] [“Automated Experiments on Ad Privacy Settings“]

Law Enforcement

US – EFF and ACLU Say Milwaukee Police Used Stingray Without a Warrant

The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) have filed an amicus brief in the US Court of Appeals for the Seventh Circuit, alleging that the Milwaukee, Wisconsin police department used a stringray without first obtaining a warrant. [SCMagazine]

US – Berkeley Students File ECPA Suit Against Google

Four U.C. Berkeley students and an alumni have filed a lawsuit against Google accusing it of targeting U.C. Berkeley emails for data mining between 2012 and 2014. The suit follows complaints in 2014 that Google was scanning emails in “Apps for Education,” when nine plaintiffs accused the company of collecting their information for advertising without their consent. In this most recent suit, the plaintiffs say Google’s alleged email scanning violated the Electronic Communications Privacy Act. They say a 2014 post by Google acknowledging it had scanned Apps for Education emails is proof. Google said it doesn’t comment on pending litigation. [The Daily Californian] [Class Action lawsuit webpage] [U of Big Brother? ]

Online Privacy

WW – Extension Allows Users to Block Ads and Avoid Online Tracking

A new Firefox extension called Decentraleyes is aimed at helping users block ads and avoid being tracked online. The tool is free and available for Firefox users. It allows for the loading of content delivery networks with direct access to them, meaning users aren’t tracked once they’ve visited a site. While many sites “chose to host critical libraries on external services, like Google Hosted Libraries, to improve load times and ensure they don’t go down,” doing so “provides another avenue for companies to track the sites you visit.” Decentraleyes stores commonly used files locally “instead of from remote sources” to circumvent that problem. [The Next Web] See also: [Privacy Badger]

WW – Service Creates Ad-Blocker Workaround

Softpedia reports on a new service aimed at “helping online publishers counteract users that employ ad-blocking browser extensions when accessing their sites.” BlockBypass was developed by BlockIQ and responds to the proliferation and usage of ad-blocking extensions, which, according to one study, went up 41% in 2015 compared to the year prior. The trend led to a loss of $21.8 billion in ad revenue. The BlockBypass technology “would allow publishers to hide the location of the ad server from where the ad is being downloaded,” and will sit between the user and the ad server. [Softpedia]

Privacy (US)

US – Where do US Presidential Candidates Stand on Privacy and Surveillance?

Through the various debates and out on the campaign trail, the U.S. presidential election has begun to feature topics of privacy and cybersecurity. Sophos’ Naked Security blog rounds up each candidate’s stance in neat fashion. Republican Ted Cruz, who topped the recent Iowa caucuses, has publicly “opposed many politicians in his own party who were calling for expanded government surveillance powers.” Donald Trump, meanwhile, has called for “closing that Internet up” and said Americans “would be willing to give up some privacy in order to have more safety.” On the Democratic side, Hillary Clinton has “taken a hard line on NSA leaker Edward Snowden” and Bernie Sanders “voted against the USA PATRIOT Act in 2001 and 2006.” [NakedSecurity] See also: [Five senior U.S. administration officials, announced the National Background Investigations Bureau, which will conduct all background checks on federal employees and contractors going forward].

Privacy Enhancing Technologies (PETs)

WW – Google Expanding Safe Browsing in Chrome

Google’s safe browsing technology will now cover online advertisements that try to trick people into entering account access credentials or downloading malware that pretends to be a legitimate software update. If a site is deemed to be deceptive, Chrome will display a red screen and a text warning. [Source]

Smart Cars

EU – German DPA Issues Joint Declaration with Automotive Industry

The data protection authority in Germany issued a joint declaration with the Association of the Automotive Industry on the privacy aspects when using connected and non-connected vehicles. Organisations storing data collected from vehicles should inform individuals of how to exercise access rights and what measures will be taken if the database is lost or stolen; informed consent should be obtained when the vehicles are purchased and users should be able to change or reset settings on any user-entered information (i.e. navigation data and email or messaging contacts). [DPA Germany – Joint Declaration of the Conference of Independent DPAs of the Federal and State Governments and the Association of the Automotive Industry] (in German)


US – Felon’s Lifetime GPS Monitoring Upheld by US Federal Appeals Court

A federal appeals court is upholding lifetime GPS monitoring of a convicted felon, in this instance a Wisconsin pedophile who served time for sexually assaulting a boy and a girl. The court upheld the constitutionality of a Wisconsin law that, beginning in 2008, requires convicted pedophiles to wear GPS ankle devices for the rest of their lives. A federal judge had sided with the offender. Wisconsin appealed to the 7th US Circuit Court of Appeals, which ruled in the state’s favor and derided the lower court’s ruling as “absurd.” Among other things, Belleau said the GPS device violated his privacy because he had served his time and was not on post-prison supervision. The three-judge appeals court did not agree. The court’s reasoning, however, could apply to other criminals who have a propensity to reoffend. The court said that the burden on privacy “must in any event be balanced against the gain to society from requiring that the anklet monitor be worn. It is because of the need for such balancing that persons convicted of crimes, especially very serious crimes such as sexual offenses against minors, and especially very serious crimes that have high rates of recidivism such as sex crimes, have a diminished reasonable constitutionally protected expectation of privacy.” [Ars Technica]

WW – Fitness Trackers Put Users’ Health Data at Risk, Study Suggests

A recent study out of the University of Toronto suggests that wearable devices are full of security holes. The study, conducted by digital research group Open Effect and U of T’s Citizen Lab, found that many of the most popular devices leak information and are vulnerable to manipulation of recorded data. The devices, which can track everything from heart rate to quality of sleep, collect fitness data that wearers use to keep track of their health goals. These trackers aren’t just for the health conscious: lawyers and insurance companies have used data to verify users’ fitness. But while the devices collect an enormous amount of personal health information, key security flaws make it easy to tamper with the data, the study found. Only the Apple Watch received a clean bill of health from researchers because it connected to other tech, such as cellphones, anonymously. [Source]

WW – Berlin Group Issue Recommendations on with Intelligent Video Analytics

The International Working Group on Data Protection in Telecommunications (the “Berlin Group”) issues a working paper on intelligent video analytics technologies by both private and public sector. Privacy implications include a chilling effect, interference with fundamental rights, and lack of public awareness of collection practices; recommendations include respect for the principle of lawfulness and fairness through adequate transparency mechanisms (e.g. use a layered notice), and the principle of proportionality (e.g. apply data minimization practices). [Working Paper on Intelligent Video Analytics]

UK Privacy Watchdog Warns Consumers That Shops Can Track Them

The UK’s privacy watchdog has warned that facial recognition software and handset identifiers broadcasted via Wi-Fi are allowing UK retailers to track and target customers through their smartphones. “This technology, which is starting to be rolled out in shops, allows retailers to use the customer journey to build up a picture as to how people typically use the store. It uses the MAC address of a smartphone which can, in many cases, be linked to a specific individual,” says Simon Rice, group manager for technology at the UK ICO. The technology has also been implemented in airports, transport hubs and using city-wide Wi-Fi networks. The ICO warns that smart CCTV systems and facial recognition cameras are capable of identifying individuals, and similar technology is used on the internet to target adverts at uses based on their behaviour instead of their faces. [Out-Law]

WW – Retailers Urged to Notify Customers of Mobile Tracking

Retailers have been urged to create a standard symbol, similar to the one used to denote the use of CCTV, to inform customers that their location within shopping areas is being tracked through their mobile device. The recommendation was contained in a new working paper that has been issued by an international working group on data protection in telecommunications on the topic of location tracking from communications of mobile devices. The working group’s paper said retailers should not “seek to collect and monitor outside their premises” and can avoid doing so “through careful placement of receivers, limiting data collection through a sampling method and to specified time periods or times of day.” [Out-Law]

US – At Berkeley, A New Digital Privacy Protest

After hackers breached the computer network of the U.C.L.A. medical center last summer, Janet Napolitano, president of the University of California, and her office moved to shore up security across the university system’s 10 campuses. Under a program initiated by Ms. Napolitano, the former secretary of Homeland Security in the Obama administration, the university system began installing hardware and software in its data centers that would monitor patterns of digital traffic, like what websites are being visited by faculty and students, or telltale signs of cyber intruders. The program, which was begun with little notice or consultation, soon rankled a group of professors at one campus, Berkeley, which has a deep-seated ethos of academic freedom as the cradle of the free speech movement in the 1960s. The faculty group of 11 professors critical of the monitoring program said the university system enacted the program largely in private, with little transparency about what data is being collected. The monitoring could compromise and constrain academic freedom to research topics that some find objectionable, among other repercussions, they said. In a formal meeting with the University of California’s chief information officer in December, the professors asked for the program to be halted. [New York Times]

Telecom / TV

US – Judge Says You Have No Expectation of Privacy When Using Tor

Last week, a federal judge in Washington state issued a baffling opinion suggesting that you don’t have a reasonable expectation of privacy when using Tor, the widely-used anonymity software literally designed to give its users privacy. The judge bizarrely argued that Tor doesn’t give its users complete anonymity because a user has to give their IP address to their ISP to connect to the Tor network. Therefore, he concluded, Michaud’s IP address was “public information, like an unlisted telephone number” that “eventually could have been discovered.” This makes no sense to anyone with a basic understanding of how Tor works. [Source]

Workplace Privacy

CA – Ontario Tribunal Grants Employer Access to Employee Health Information

The Toronto Transit Commission requested that the Human Rights Tribunal of Ontario grant access to an employee’s personal health information. The Order permits the employer to access and disclose the employee’s information in its occupational health file, to meaningfully respond to allegations of discrimination; access and disclosure is granted to the employer’s advisors, individuals giving instructions to counsel, and potential witnesses. [Scott Coutts v. Toronto Transit Commission and Amalgamated Transit Union Local 113 – 2016 HRTO 7 – CanLII – Human Rights Tribunal of Ontario] See also: [European Court of Human Rights Decides that Accessing an Employee’s Work IM Account Did Not Breach His Privacy Rights]



16-31 January 2016



US – Facial Recognition Systems Coming to All American Airports

After a favorable test run at the Washington Dulles International Airport in 2015, the Department of Homeland Security announced that it would be implementing facial recognition technology in all American airports of entry for foreign visitors and U.S. citizens. The “incremental” implementation will begin at the John F. Kennedy International Airport in New York City by the end of the month. While the DHS’s privacy impact assessment says the system won’t store the photos if “they do not result in an enforcement or administrative action,” privacy advocates such as the ACLU argue that this could be the first small step toward increased surveillance. [Fedscoop]

Big Data

WW – Big Data Report Roundup

The past two years have brought continuous policy discussion around the benefits and challenges that accompany this growing use of big data analytics. The White House and the FTC released reports on big data and data brokers in early 2014. Since then, policymakers and wonks of all stripes have weighed in on the subject, frequently highlighting one of the most contentious topics raised by these studies: how to ensure that the increase in automated decision-making does not result in unfair, unethical, or discriminatory effects for consumers. Early in these conversations, a coalition led by the Leadership Conference for Civil Rights released a set of civil rights principles for the era of big data that established broad guidelines for how to avoid having a discriminatory impact with the use of big data. Washington white papers naturally followed; the Future of Privacy Forum partnered with the Anti-Defamation league to produce a report on using big data to fight discrimination and empower groups; Upturn wrote a report on the intersection of big data and civil rights; the President’s Council of Economic Advisors wrote about differential pricing; and the White House has promised a report on the implications for big data technologies for civil rights. Several groups convened on the topic, including an FTC workshop, which resulted in an eventual report around the use of big data for inclusion and exclusion.

WW – Poll Finds Dismal European Big Data Attitudes

A new study conducted for Vodafone’s Institute for Society and Communications found that of 8,000 respondents, “just under a third” felt there were significant advantages to the big data, while “barely more than a quarter” trusted companies to respect their privacy and their data. The findings were an “indictment of current European data protection practices.” [Fortune] See also: [No new ‘competition rulebook’ necessary for big data age, says EU commissioner] and also [The Imperative for Ethical Standards in Analytics]


CA – Privacy Commissioners Issue Joint Resolution on Information Sharing

Canada’s Information and Privacy Commissioners issue a joint resolution to all levels of government relating to information sharing initiatives. All levels of government are urged to be open and transparent about the implementation of information sharing initiatives including what information will be collected, shared and disclosed; processes should be in place for individuals to request and correct their personal information, for staff to have regular and on-going training on relevant policies and procedures and for use of privacy impact assessments before implementation of these initiatives. [OPC Canada – Protecting and Promoting Canadians Privacy and Access Rights in Information Sharing Initiatives] [Press Release] [Resolution] [] [Parliament Should be Wary of Warrantless Access – Privacy Commission – Toronto Star]

CA – Canada’s Spy Agencies Broke Surveillance Laws, Watchdogs Reveal

A new report reveals that the Communications Security Establishment (CSE) has unlawfully shared data with foreign allies, while a report on the CSIS made public on the same day said CSIS has been neglecting to tell judges who authorize surveillance operations they are retaining elements of communications intercepts they are ordered to destroy. The reports from the watchdogs for CSE and CSIS centred on “metadata,” or the intercepted telecommunications trails reflected in phone logs and Internet protocol (IP) exchanges. Collecting and sharing such material can vastly expand intelligence-gathering operations. The legal issues this raises have been quietly debated over the past 15 years within Canada’s intelligence bureaucracy, but not in open courts or Parliament. [Globe&Mail] See also: [Watchdogs report lapses in CSIS, CSE intelligence practices] [CSIS Repeatedly Accessed CRA Taxpayer Info Without a Warrant] and [Think the Liberals will rein in the spy services? Don’t bet money on it] [Yahoo News: CSE Shut Down Data-Sharing, Post-Breach] [Canada’s Electronic Spy Agency Broke Privacy Law by Sharing Info: Watchdog]

CA – BC Privacy Breach a Failure of ‘Executive Leadership’

B.C. Information and Privacy Commissioner Elizabeth Denham said the Ministry of Education underestimated the potential fallout from misplacing a hard drive containing information about some 3.4 million school students. This week, Denham issued a report on the data breach finding that several B.C. education department workers contravened a series of security policy directives and protocols by transferring information from the ministry server onto mobile hard drives, one of which was then lost. Yukon Information and Privacy Commissioner McLeod-McKay, reacting to the B.C. report, said it’s clear that having good policies and procedures in place isn’t enough, there must also be good training and auditing of whether or not the policies are effective. [Source] [Yukon Privacy Commissioner in the Dark About Territory’s Response to Data Breach]

CA – Police Inspection of Laptop Infringed Charter: Ontario Court

Tyler Mayo filed a motion to suppress evidence alleging a violation of his Charter of Rights and Freedoms during a search and seizure. The search of a suspicious laptop (potentially containing child pornography) infringed the Charter when the police opened one of the computer files with a suspicious name, viewed its contents and attempted to open a second file (the police should have allowed the computer technician to return to the directory where the suspicious file names could be in plain view); the infringement was modest (the police conducted only a limited search of the computer relinquished to a computer store, and a warrant for a further search was obtained). [R v Mayo – 2016 INSC 125 – Can LII]

CA – Police Search of Computer Overly Broad: Alberta Court

The Court of the Queen’s Bench in Alberta considers whether search warrants complied with section 487 of the Criminal Code and section 8 of the Canadian Charter of Rights and Freedoms. Police failed to apply a date filter to the contents of the computer and storage devices being searched; exporting a decade of personal information (e.g. emails sent and received, photos, videos, complete internet browsing history and Skype exchanges) accumulated and deleted from the devices was not justified since a mirror image of the website (that the search warrant pertained to) was already secured and a number of videos on the website were already accessed. [HMQ v Mark Marek – 2016 ABQB 18 – Court of Queens Bench of Alberta]

CA – Another New Privacy Tort for Ontario

Last week saw a striking decision issued by the Ontario Superior Court of Justice. 2102 saw the tort of “intrusion upon seclusion” recognized; in 2016, we now have the tort of “public disclosure of private facts”. Unlike the 2012 decision, this one came with a large damage award. Conduct characterized as “revenge porn” clearly fits within the elements of this tort. Mr. Justice Stinson, having found that not one but two torts had been committed, could have stopped there. However, in concluding as he did, he recognized a new cause of action in Ontario: “public disclosure of private facts”. Mr. Justice Stinson modified the test articulated by Prosser, reflecting modern communication technology, to say “…if the matter publicized or the act of publication…” [Source] See also: [Experts praise court decision against man for posting explicit video of ex-girlfriend]

CA – Privacy Commissioner Launches Online Privacy Tool for Families

To mark international data privacy day, the Office of the Privacy Commissioner of Canada has launched “House Rules“—a new interactive tool for families aimed at helping parents manage the online risks facing their children. Parents are invited to use the tool to assess how their children interact online through games, mobile applications and social networking sites as a means of starting a dialogue on safe and responsible surfing. The tool offers simple tips parents and children can customize into their very own “House Rules” that can be printed off and posted in a common area as a reminder of how to protect privacy online. The Office of the Privacy Commissioner of Canada is also unveiling a new tip sheet for individuals to help all Canadians become more familiar with the basics of privacy protection. [Source]


US – Americans Express “Loss of Control” Over Their Data: Study

A study on American privacy perspectives found that 91% of Americans feel as though they’ve “lost control” over their data, with 86% taking steps to protect their information online and 47% still unsure about the breadth of the data that’s being collected about them, the organization reports. “Americans express a consistent lack of confidence about the security of everyday communication channels and the organizations that control them — particularly when it comes to the use of online tools, and they exhibited a deep lack of faith in organizations of all kinds, public or private, in protecting the personal information they collect.” Attitudes about surveillance, however, are split, with 52% expressing high levels of concern about the practice, while 46% identified as “not very concerned.” [PEW Research]

US – More Americans Worried About Privacy than Income Loss: Report

A new report from the TRUSTe/National Cyber Security Alliance Consumer Privacy Index indicates more Americans are worried about their data privacy than losing their main source of income. The study indicates concerns over online privacy beat worries about income loss by 11%. The study also found that 56% of Americans say they “trust businesses with their personal information online,” the report states. “If you ask, ‘what does privacy mean for you?’ you’ll find that privacy is an individual thing, and it is different for every person.” [CBS News]

WW – Password List Illustrates User Annoyance and Tech Dead End

SplashData’s annual list of most common passwords found that, once again, “123456” is America’s most beloved digital key. However, this comical collection highlights both user frustration with password use and the technological sector’s current quest to replace it with something more sophisticated. Fingerprint authentication is one future avenue, but critics argue that the commonality of our fingerprints makes them easy to lift and nefariously employ. [The Washington Post]

WW – Study: Bitcoin Users Trust the Currency’s Promise of Privacy Too Much

A new bitcoin study conducted by Rutgers University found that bitcoin users overestimate its provision of anonymity. Bitcoin “transactions are recorded in a public ledger and are traceable with some effort.” “The users in the study trust the security and privacy mechanisms of Bitcoin more than they actually should.” The currency’s increased privacy, however, could give it an edge over physical money in the future. “What I personally like [about bitcoin use] is the anonymity,” said a study author. “You can’t track at all what I’m buying from the supermarket if I don’t use a loyalty card with my purchases when I pay in cash.” [Rutgers]


CA – Supreme Court Gears to Battle Ottawa Over IT Rules

The country’s highest court is ready to launch a legal battle with the federal government over new IT rules, which the Supreme Court of Canada fears would threaten its independence. The Supreme Court is not alone in these concerns: the Federal Court, Federal Court of Appeal, Court Martial Appeal Court and Tax Court are all prepared to launch a constitutional challenge against having the government’s super-IT department involved in their digital affairs. The federal Liberals are now left to decide how to handle an issue created by a decision of the previous Conservative government that came into effect during the federal election. That decision forced the courts to go through Shared Services Canada for all IT purchases, such as servers, routers and software, rather than letting them make the procurements on their own. The courts had that power until Sept. 1, when the new rules kicked in and made them a “mandatory client” of Shared Services Canada, which oversees purchases and digital services for 43 of the heaviest IT users in the federal government. The move approved by the Conservative cabinet in May 2015 was supposed to save money, since Shared Services Canada buys in bulk, and improve digital security, because it buys from safe suppliers. [Toronto Star]


US – Yahoo Enters Into Settlement Agreement for Alleged Email Scanning and Extraction Practices

Yahoo accepts a settlement agreement for alleged e-mail scanning and extraction practices that violated the Stored Communications Act and California’s Invasion of Privacy Act. Yahoo must make technical changes so that all incoming and outgoing emails send to and from users in the US are analyzed for advertising purposes only after the user can access the email in their inbox or sent folder; modifications to its website include a paragraphs stating that all communications content is analyzed and stored, and that keywords, package tracking and product ID numbers are shared with third parties. [In Re Yahoo Mail Litigation – US District Court Northern District of California San Jose Division – Case No. 5-13-cv-04980-LHK] [Related News Article]

Electronic Records

US – Research Firms Team For Privacy Initiative

ESOMAR, an association for market research firms, announced on Data Privacy Day a new initiative by its members aimed at boosting “transparency and choice for online audience measurement research.” Headed up by comScore, GfK, Kantar, and Nielsen, the effort, dubbed Research Choices, will help consumers understand online data collection practices and facilitate access to different choice mechanisms across the Internet. Research firms interested in joining the effort must subscribe to the ESOMAR code of conduct, or equivalent ethical code. [IAPP Privacy Advisor]

US – Improper Employee Log-in Use Led to Californian Health Insurance Breach

21,000 Blue Shield of California members were affected by a breach catalyzed by “the misuse of Blue Shield customer service representatives’ log-in information.” While the company’s data systems were left unsullied, everything from Social Security numbers to addresses “could” have been exposed between September and December 2015, the company notified the affected. The company promised complimentary credit-tracking to victims. [FierceHealthPayer]


US – California Bill Prohibits the Sale of Encrypted Smartphones

Assembly Bill 1681, amending existing state law and the Business and Professions Code to prohibit the sale of encrypted smartphones, is introduced. The bill requires that a smartphone manufactured on or after January 1, 2017, and sold or leased in California, must be capable of being decrypted and unlocked by its manufacturer or operating system provider; a $2,500 penalty will be imposed for non-compliance with the decryption requirement for each smartphone sold or leased. [Assembly Bill 1681 – An Act to add Section 22762 to the Business and Profession Code, Relating to Smartphones – California Assembly] See also: [BlackBerry says its encryption has not been “cracked” by police]

EU Developments

EU – Safe Harbor Deadline Passed: Agreement Reached

The deadline for the US and European Union negotiators to reach a new Safe Harbor data protection agreement satisfactory to both entities was January 31, 2016. The old arrangement was invalidated last fall after the EU Court of Justice found that it did not adequately protect the privacy of EU citizens. [The Hill] [ComputerWorld] [Ars Technica] The European Commission announced an agreement with the U.S. Department of Commerce to replace the invalidated Safe Harbor agreement on transatlantic data flows with a new EU-U.S. “Privacy Shield.” [Hogan Lovells: EU-U.S. Privacy Shield to Replace Safe Harbor]

WW – Law Firm Contends U.S., EU Privacy Protections Are Equal

According to Geoffrey Robertson QC, the October ECJ judgment that invalidated the “safe harbour” agreement was based on trusting news reports of revelations by Edward Snowden rather than a thorough investigation of US law. He added that the US had become more “privacy friendly” than Europe. He made the comments in an independent opinion commissioned by Facebook, which has been affected by the ECJ ruling. The social network is lobbying against the decision alongside other big technology groups. The barrister, who has represented WikiLeaks and media companies in free-speech cases, said: “It is intellectually dishonest at present to say we have any kind of protection in Europe against national security surveillance.” [] The Sidley report represents one of the most comprehensive rebuttals to suggestions that the European Court of Justice’s ruling in October on privacy opened an irreparable rupture for U.S. and EU commerce. The decision tossed out the widely used business data-transfer agreement on the grounds that Europeans’ privacy might not be adequately protected against U.S. national security surveillance. The Sidley Austin authors, based in the U.S. and EU, said that while the ECJ did invalidate the agreement, it did so because a test had not been done to establish equivalent privacy protections in the U.S., leaving the door open to a new agreement that is based on such a finding of equal privacy. [Source] [Take-up of cloud storage in Europe affected by privacy issues]

EU – Study Hints at How E-Privacy Directive Might be Reformed

The Commission wants to update the EU’s Privacy and Electronic Communications (e-Privacy) Directive and the recommendations made to it last summer suggest that wide-ranging changes are likely, including to rules on the use of cookies, direct digital marketing and on the processing of location data.

Telecoms bodies have called for the repeal of the e-Privacy regime, but the study suggests it will be expanded and will have an impact on many more businesses that communicate via digital channels than is currently the case. The Commission, which first outlined its intention to reform the e-Privacy Directive in 2014, has promised to consider the findings of the study. Proposals for reforms are scheduled to be instigated this year, with a consultation on the reforms likely to be opened in March, according to recent reports. [Out-Law]

EU – Independence of Data Protection Commissioner Questioned

The Irish High Court is being asked to make a referral to the EU’s highest court for a ruling on whether Ireland’s Data Protection Commissioner is truly independent under EU law. Legal papers served on the State and the Attorney General claim the State has acted in breach of EU law by failing to ensure the regulator exercises its role independently. The action is being taken by the privacy advocacy group Digital Rights Ireland (DRI), which took a successful case to the Court of Justice of the European Union in 2014 overturning the entire regime under which the telephone and internet data of over 500 million European citizens were retained for up to two years. The papers note that the office of the commissioner, Helen Dixon, is integrated with the Department of Justice and that the commissioner and all her office’s employees are civil servants. They also allege the commissioner has failed to act independently in policing databases of citizens created in recent years by both Irish Water and the Department of Education. The commissioner’s office is considered one of the most important regulatory roles in Europe because of the high number of multinational, data-rich firms based in Ireland, including Facebook, Apple and LinkedIn. It has come under repeated criticism from some EU sources for being “soft” on regulation, partly because of the number of jobs such firms support here. That allegation has been denied by the current commissioner and by her immediate predecessor Billy Hawkes. [Source]

Facts & Stats

US – Breach Costs Often Come Long After Incident Detection: Survey

According to a new study, the costs of data breaches go “far beyond the initial incident response and customer notification costs.” The SANS Institute survey found that “about one third of organizations are able to remediate breaches within a week of detection, and the greatest financial impact from breaches extended months and even years beyond the event for the majority of organizations.” The survey looked at how nearly 60 organizations coped with breaches and found more than 40% said the greatest impact from the breach was felt one to 12 months after the incident. Some of that was because of unforeseen required actions necessary for forensics or data recovery. [Dark Reading]

US – OTA Releases 2016 Data Protection & Breach Readiness Guide

91% of breaches are avoidable. The best defense is implementing a broad set of operational and technical best practices that helps protect your company and your customers’ personal data. The second step is to be prepared with a data lifecycle plan that allows a company to respond with immediacy. Ultimately, industry needs to understand that effectively handling a breach is a shared responsibility of every functional group within the organization. A key to success is moving from a compliance perspective to one of stewardship. This perspective recognizes the long term impact to a brand, the importance of consumer trust and implications and considerations with vendors and business partners. The OTA Guide Guide includes risk assessment guide for service providers, check lists for cyber insurance, security best practices, incident reporting forms and remediation service check lists and more. [OTA Alliance] [Cyber Attackers Focusing on Targets With Most Valuable Data] []


WW – Insurers Will Look for Evidence of Appropriate Cyber Defenses for Cyber Insurance Policies in 2016

Insurers who provide cyber insurance are not convinced enterprises are doing enough to protect their digital assets. A recent study from CSO outlines some major changes coming to cyber security insurance in 2016: Cyber insurance will move toward a “must have” and “evidence based” model with new minimum level requirements in place for policies. This is expected to disrupt the cyber security industry and place new challenges on IT workers. However, it is good news for customers because it drives improvements to companies’ ability to handle threats and protect customer information. (RSA)

WW – Survey: Half of IT Pros Don’t Know Where Their Payment Data is Stored

A recent study indicates a “critical need” for organizations to improve their payment data security practices. A study by Gemalto of more than 3,700 IT professionals found 54% said their companies had experienced a data breach involving payment data “an average of four times in the past two years,” and 55% said they don’t know where their payment data is stored. Meanwhile, researchers say they’ve found four vulnerabilities in Lenovo ShareIT, which they say could mean data leaks. [InformationAge]

CA – Disclosure of PI for Purposes of Debt Collection: How Far Can You Go?

The applicable federal private sector legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), allows the disclosure of personal information about an individual without their consent for the purpose of collecting a debt owed by the individual. However, based on the position reportedly taken by the Privacy Commissioner in this case, publicly posting private financial information of identifiable individuals does not fit within the ambit of the exception and the exception does not give a blanket permission to indiscriminately disclose a debtor’s personal information. [Lexology]


CA – Info Commissioners Call on Governments to Create a Duty to Document

Canada’s Information Commissioners have called on their respective governments to create a legislated duty requiring public entities to document matters related to their deliberations, actions and decisions.

In a joint resolution, information commissioners expressed concerns about the trend towards no records responses to access to information requests. This lack of records weakens Canadians’ right of access and the accountability framework that is the basis of Canada’s access to information laws. Without adequate records, public entities also compromise their ability to make evidence based decisions, fulfill legal obligations, and preserve the historical record. Canada’s information commissioners have urged governments to create a positive duty for public servants and officials to create full and accurate records of their business activities. This duty must be accompanied by effective oversight and enforcement that ensures Canadians’ right of access to public records remains meaningful and effective. [Source]

CA – BC OIPC Rejects Third Party’s Assertion that Contract Information is Supplied and Subject to Exemption from Disclosure

This OIPC order reviews the Ministry of International Trade and Ministry Responsible for Asia Pacific Strategy and Multiculturalism’s decision not to withhold records requested under B.C.’s Freedom of Information and Protection of Privacy Act. The information does not meet the second part of a 3-part test because it is not supplied to a government ministry, but negotiated; the disputed information contains the sort of detail about contractual arrangements that would have been susceptible to change through negotiation, and it is clear that an agreement was reached between the parties to amend certain obligations of an existing contract. [OIPC BC – Order FEW-71 – Ministry of International Trade and Ministry Responsible for Asia Pacific Strategy and Multiculturalism]

CA – The Northwest Territories’ Health-Specific Privacy Legislation In Effect

The Northwest Territories have enacted the Health Information Act, SNWT 2014, c 2 (HIA) which took effect on October 1, 2015. The HIA sets out rules for the collection, use and disclosure of personal health information; the Act is designed to protect health information and facilitate the provision of health services. Much like the health privacy statutes of other provinces, the HIA recognizes the sensitive nature of personal health information, which is frequently shared in the provision of health care and the management of our publicly funded health care system. Other Canadian provinces and territories have similar legislation, including Alberta, Saskatchewan, Manitoba, Ontario, Newfoundland and Labrador, New Brunswick, Nova Scotia, British Columbia and Quebec. Similar laws have also been passed in Prince Edward Island (Bill 42 – Health Information Act) and Yukon (Bill 61 – Health Information Privacy and Management Act), but have yet to be enacted into force. [Lexology]

Health / Medical

US – Academy of Family Physicians Clarifies HIPAA Disclosure Amendments

The American Academy of Family Physicians clarifies the amendments to the HIPAA Privacy Rule. Covered entities can disclose the minimum necessary identifying information about individuals who have been involuntarily committed to a mental health institution, lack the mental capacity to manage their own affairs, or have been determined to be a danger to themselves or others; the Rule is not applicable to most health care professionals and diagnostic or clinical information may not be disclosed. [Modified HIPAA Rule Allows Limited Reporting of Patient Information – American Academy of Family Physicians]

US – Health Care Entities Unite for Privacy’s Sake

In an effort to curb cyberattacks, privacy gaffes and HIPAA breaches, the Electronic Healthcare Network Accreditation Commission and the National Health Information Sharing and Analysis Center have become allies, with plans to initiate blended teams to analyze threats, present research, and plan education events. “We are our own worst enemy, and if we don’t come together and share information, the bad guys are sharing information, and shame on us,” said NH-ISAC President. “The collaboration is significant, because there’s growing need for healthcare organizations to share threat level data,” the report adds. “This information has been ineffectively shared in the past because of competitive pressures and the disjointed nature of the industry.” [HealthData Management]

US – HIPAA Modified in Light of President Obama’s Executive Order

The U.S. Department of Health and Human Services’ Office of Civil Rights updated HIPAA in accordance with President Obama’s executive order regarding firearms. Entities under the HIPAA umbrella will be able to provide the National Instant Criminal Background Check System with the identities of individuals with a “mental health prohibitor” that would prevent them from “transporting, possessing or receiving a firearm,” starting Feb. 5 of this year. The revision “does not apply to most health care providers, allows only limited demographic and certain other information needed for the purposes of reporting to the background check system, and specifically prohibits the disclosure of diagnostic or clinical information from medical records or other sources.” [National Law Review]

US – FDA Issues Medical Device Cybersecurity Draft Guidance

The US Food and Drug Administration (FDA) has issued draft guidance, “Postmarket Management of Cybersecurity in Medical Devices,” for device manufacturers. In October 2014, the FDA issued guidance for medical device manufacturers regarding building cybersecurity into their product from the beginning of the development process. [News-Medical] [GovInfoSecurity] [January 2016 Draft Guidance] [October 2014 Guidance]

Horror Stories

US – LinkedIn’s Individual Payment in Data Loss Settlement Sets It Apart

Class counsel has dubbed the $13 million, $16-per-victim LinkedIn class-action settlement “particularly impressive” in comparison to the outcome of other cyber privacy suits due to the individual-by-individual payoff. More than 550,000 LinkedIn netizens reported that they were victims of the company’s misuse of contact information after it sent invitational emails to user connections. In addition to user payment, the settlement requires LinkedIn to improve and clarify its disclosure policy in regards to its “Add Connections” feature, among others. The arrangement is still awaiting final approval by California’s U.S. District Court Judge Lucy Koh. [Media Post]

Identity Issues

FTC: Tax Fraud Behind 47% Spike in ID Theft

In kicking off “Tax Identity Theft Awareness Week,” FTC released new stats showing that the agency received more than 490,000 identity theft complaints last year, a 47% increase over 2014. In a conference call with the news media, FTC Chairwoman Edith Ramirez called tax refund fraud “the largest and fastest growing ID theft category” that the commission tracks. [Source]

US – FTC Announces Significant Enhancements to

For the first time, identity theft victims can now go online and get a free, personalized identity theft recovery plan as a result of significant enhancements to the FTC’s website. The new one-stop website is integrated with the FTC’s consumer complaint system, allowing consumers who are victims of identity theft to rapidly file a complaint with the FTC and then get a personalized guide to recovery that helps streamline many of the steps involved. [FTC Press Release]

Intellectual Property

WW – Netflix Cracking Down On Proxy Users

Netflix says it’s going to crack down on customers using VPN software to access content that isn’t available or licensed in their country of origin. “Some members use proxies or ‘unblockers’ to access titles available outside their territory,” the company said in a statement. “In coming weeks, those members using proxies and unblockers will only be able to access the service in the country where they currently are.” The move is aimed at appeasing content producers’ licensing agreements with Netflix. [TechCrunch]

Internet / WWW

WW – Winners of FPF Best Privacy Papers Announced

The Future of Privacy Forum announced its choices for the best privacy research papers of 2015 at the Sixth Annual Privacy Papers for Policymakers. The winners were Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor, for “A Design Space for Effective Privacy Notices“; Ira S. Rubinstein and Woodrow Hartzog’s “Anonymization and Risk“; Arvind Narayanan, Joanna Huey, and Edward W. Felten’s “A Precautionary Approach to Big Data Privacy“; Ryan Calo’s “Privacy and Markets: A Love Story,” and Neil Richards and Woodrow Hartzog’s “Taking Trust Seriously in Privacy Law.” Honorable mention went to Peter Swire for “Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy“ and Joel R. Reidenberg’s “The Transparent Citizen.” A summary of each of the winning papers can be found here. [FPF]

Law Enforcement

US – CDT Sides with ACLU on Unconstitutionality of Sex Offender Regulations

A Center for Democracy & Technology amicus brief for the Sixth Circuit’s Doe v. Snyder case supports the ACLU of Michigan’s assertion that the online registration regulations for former sex offenders are indeed a constitutional breach, the organization said in statement. “The district court wrongly concluded that the identifiers requirement does not infringe registrants’ constitutionally protected right to engage in unidentified expression, because the law does not unmask their anonymity to the public. But the right to speak without identifying oneself or one’s content to the government is critical — particularly for engaging in expression that may be controversial or highly personal,” the statement reads, adding that the regulation does not further state any plans for data protection. “We urge the Sixth Circuit to hold Michigan’s ‘Internet identifiers’ requirement to that standard and declare it unconstitutional on its face,” the report continues. []


US – ALPR “Unprecedented Threat to Privacy”

Throughout the United States—outside private houses, apartment complexes, shopping centers, and businesses with large employee parking lots—a private corporation, Vigilant Solutions, is taking photos of cars and trucks with its vast network of unobtrusive. A private company has captured 2.2 billion photos of license plates in cities throughout America. It stores them in a database, tagged with the location where they were taken. And it is selling that data. [The Atlantic]

WW – Industry Group Issues Safeguards to Mitigate Privacy Risks Associated with Location Tracking

The International Working Group on Data Protection in Telecommunications issued a working paper on location tracking in mobile devices. Privacy risks of location tracking of mobile devices includes covert collection of device specific identifiers, and the combination of tracking data with other online/offline information; recommendations include conducting a PIA, notifying individuals, limiting the bounds of data collection, anonymising data without delay, appropriate retention of individual level data, consent for combination with other information and for sharing of individually identifiable data with third parties, and implementing a simple and effective means to control collection. [Working Paper on Location Tracking from Communications of Mobile Devices]

Online Privacy

WW – Skype Now Hides Your Internet Address

Ne’er-do-wells have long abused a feature in Skype to glean the Internet address of other users. Indeed, many shady online services that can be hired to launch attacks aimed at knocking users offline bundle so-called “Skype resolvers” that let customers find a target’s last known location online. At long last, Microsoft says its latest version of Skype will hide user Internet addresses by default. [Krebs]

Privacy (US)

EU – Schrems Responds to US Lobby Groups on Safe Harbor

In a brief but clearly argued letter to European data protection authorities, Max Schrems writes that “attempts by lobby groups and the US government to ‘reinterpret’ or ‘overturn the clear judgement of the Union’s highest court are fundamentally flawed.” Schrems brought the successful case to theEuropean Court of Justice that struck down the Safe Harbor arrangement. The Schrems letter, released on International Data Protection Day, also states that a new transfer agreement must provide “protection against government surveillance and “essentially equivalent” protection against the commercial use of data by certified companies.” Max Schrems received the 2013 EPIC Champion of Freedom Award.

US – Law Firm Argues US, EU Privacy Laws ‘Essentially Equivalent’

A recent report from a US law firm concludes that the US offers essentially equivalent privacy protection to Europe. The report also finds that “This body of laws ensures that government access to data for law-enforcement and intelligence purposes is limited to what is necessary and proportionate.” However, all travel records of Europeans are routinely transferred to the US Department of Homeland Security without any legal protection, and under Section 702 of the Patriot Act, the US government routinely obtains vast amounts of personal data on non-US persons, including communications logs and website activity. Executive Order 12333 provides even broader surveillance authorities. [Sidley Austin LLP: “Essentially Equivalent” (Jan. 2016)]

US – FTC Issues Privacy Update Report

The FTC announced the publication of its Privacy & Data Security Update 2015. The report aims to highlight the agency’s commitment to ensuring consumers are able to reap “the benefits of innovation in the marketplace, confident that their personal information — online and offline — is being handled responsibly,” citing a host of its 2015 initiatives, from the PrivacyCon event to its, as evidence of meeting that goal. “Each of our projects in the privacy and data security arena has been informed by a central message: Even in the face of rapidly changing business models and technologies, companies still need to follow fundamental privacy principles.” [FTC]

US – Wyoming Legislature to Consider ‘Right to Privacy’

The Wyoming State Legislature will debate whether Wisconsin voters will vote on the addition of privacy as a citizen’s right in the state’s constitution. This will be the second attempt by privacy advocates to get the legislature to consider such an addition, after it was thrown out last year for imprecise language and confusing implications. This measure specifies that it “wouldn’t deprive people of the right to inspect public records or observe government operations” and has the support of the chief information officer for the State of Wyoming. According to the National Conference of State Legislatures, 10 other state constitutions already recognize citizens’ right to privacy. They are: Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina and Washington. [ABC News]

US – ACLU Leads Privacy Charge In 16 States

Frustrated with the lack of federal leadership on privacy issues, the ACLU has orchestrated a rollout of state-level legislation that would work to make privacy regulations more sophisticated across 16 states. The ACLU has found allies in exasperated legislators as well. Regarding privacy issues, “our federal gov­ernment didn’t take the lead and should have taken the lead,” said Rep. Peter Lucido, R-Mich., adding, “But now it left us all to go ahead and fend for ourselves at the state level.” The bills cover everything from law enforcement surveillance to student and employee privacy rights. “This movement is about seiz­ing control over our lives,” said the ACLU’s Anthony Romero. “Everyone should be empowered to de­cide who has access to their personal information.” [The National Journal]

US – New York Bill Requires Mobile Devices to Have an Enabled Solution to Render the Device Permanently Inoperable

Senate Bill S.51, the Smartphone and Tablet Security Act, was introduced in the New York State Senate and referred to the Consumer Protection Committee. Owners of devices sold after January 1, 2016 must be able to disable voice communications, connections to the internet, and access and use of mobile software applications when the device is no longer in their possession; these features can be disabled by consumers after purchase (but not by retail sellers). [S.51 – The Smartphone and Tablet Security Act – New York Senate]

US – EPIC Gives 2016 Freedom Award to Viviane Reding

EPIC has presented the 2016 International Champion of Freedom Award to former EU Justice Minister Viviane Reding. Ms. Reding led the effort in the European Common for adoption of the new European privacy law, the General Data Protection Regulation. The EPIC award was presented January 27, 2016, at the annual Computers, Privacy & Data Protection conference in Brussels. [EPIC]

US – How Facebook Tracks and Profits from Voters in a $10bn US Election

The Cruz campaign is using Facebook to target voters on a range of broad issues like immigration controls to niche specific causes such as abolishing state laws against the sale of fireworks. Facebook told investors it was “excited about the targeting”, and does not let candidates track individual users. But it does now allow presidential campaigns to upload their massive email lists and voter files – which contain political habits, real names, home addresses and phone numbers – to the company’s advertising network. The company will then match real-life voters with their Facebook accounts, which follow individuals as they move across congressional districts and are filled with insightful data. The data is encrypted and not maintained by Facebook after ads run, the company said. Acxiom, a massive data broker based in Little Rock, Arkansas, helps campaigns upload the voter info. But a campaign operative said the Texas senator has been using Facebook ads to raise money, among other things, and a Guardian analysis shows Cruz-affiliated donors are spending $10,000 per day on Facebook “placement” as the first vote nears. [The Guardian]

Privacy Enhancing Technologies (PETs)

UK – Government Rolls Out Massive Blockchain Report

In a major 88 page tome on Blockchain and distributed ledgers, the UK Government’s Chief Scientist sets out how this technology could transform the delivery of public services and boost productivity. The UK report states that Blockchain technology could provide government with new tools to reduce fraud, error and the cost of paper intensive processes and it also has the potential to provide new ways of assuring ownership and provenance for goods and intellectual property. The report also includes a lengthy look at Estonia who is already moving quickly to adopt distributed ledgers — and the case study of Estonia shows how quickly a small country with an effective digitally-aware leadership can progress and considers the features of advancing digital nations. [Source] See also: [Privacy on the Blockchain: Exploring the Blockchain technology and its privacy potential]


WW – Study: Cybersecurity Fears Top Terrorism, Climate Worries

The World Economic Forum’s annual Global Risks Report named cybersecurity among its gravest industry threats, ranking higher than terrorism and climate change. This is the third time in a row that the issue has made the study. “As the Internet of Things leads to more connections between people and machines, cyber dependency — considered by survey respondents as the third most important global trend — will increase, raising the odds of a cyberattack with potential cascading effects across the cyber ecosystem.” [SC Magazine]

CA – Regulator Issues Vendor Risk Assessment and Cyberincident Checklist

The Investment Regulatory Organization of Canada (“IIROC”) has issued a guide for vendor risk management for small and mid-sized Dealer Members. Assessing vendor risk requires a detailed response from vendors regarding their consideration of issues such as vendor controls, security architecture, information system configuration, access controls, security monitoring, physical security, contingency planning, and their business associates. [Vendor Risk Management – Investment Industry Regulatory Organization of Canada] Organizations should undertake activities before an incident (e.g. create a prioritized list of information assets critical to the functioning of the organization), during an incident (e.g. convene one teleconference to discuss what is required to restore operations), and after an incident (e.g. discuss any changes in process or technology needed to mitigate future incidents [Cybersecurity Best Practices Guide – Investment Industry Regulatory Organization of Canada]

WW – Software Bugs Rampant in Home Wi-Fi Routers

There has been a proliferation of software bugs in basic home Wi-Fi routers and the subsequent difficulty in getting security patches out to users. In one example, a bug that was fixed by Allegro Software Development nearly 10 years ago was still found to exist in more than 10 million devices. It turns out that a router manufacturer had been including the pre-2002 version of Allegro’s software on new routers. “The router flaw highlights an enduring problem in computer security: Fixing bugs once they have been released into the world is sometimes difficult and often overlooked,” the report states. [Wall Street Journal]

Smart Cars

US – Auto Industry, DoT Agree on Cybersecurity Best Practices

The U.S. Department of Transportation and 17 automakers have reached an agreement designed to improve safety and increase the sharing of cyber-threat information. With regard to cybersecurity, the automakers — including General Motors, Ford, and Toyota — also agreed to suggest best practices, share lessons learned, and work with the info-sharing and analysis center created by the auto industry last year. The group released a list of “proactive safety principles” that aim to help the industry improve cybersecurity. The list includes plans to create an automotive industry Information Sharing and Analysis Center (ISAC). Automobile supply companies will be urged to join as well. The car makers also want to work with bug hunters. [ComputerWorld] [Wired] [Proactive Safety Principles 2016] Last year, security specialists successfully hacked into and took control over a connected car, prompting a first-of-its-kind recall by Fiat-Chrysler. [Bloomberg]

CA – OIPC AB Issues PIA Guidelines for Auto Insurers Offering Usage-Based Insurance Programs

The Alberta Office of the Information and Privacy Commissioner issued privacy impact assessment guidelines for insurers implementing usage-based insurance programs. When submitting a PIA for review, details should be provided about the organization’s management structure, policy management, training, incident response, and access and correction requests; an analysis of program-specific privacy topics should be completed (such as information flow, notifications, consent, contracts, agreements and use of PI outside Canada) and include a description of access controls, mitigation plans and monitoring procedures. [OIPC AB – Privacy Impact Assessment Guidelines for Insurers]

EU – European Commission Issues Recommendations for Data Protection and Privacy in Intelligent Transport Systems

The European Commission Cooperative Intelligence Transport Systems (“CITS”) Platform Working Group issued its final report relating to privacy and data protection in the context of CITS. Messages sent between vehicles and the IT infrastructure raises potential concerns because of the potential indirect identification of users; a list of clearly identified applications where consent is necessary should be accessible to drivers and all situations where secondary use or re-purposing of data may take place should be identified. [European Commission – C-ITS Platform Final Report]

EU – Security and Privacy Challenges in Developing an EU Legal Framework for Automated Vehicles

The European Parliamentary Research Service issued a report on data protection and cyber security in automated vehicles. Connected cars can generate, store and transmit users’ personal data (route to work, time of driving, appointments, etc.) that have significant potential for other uses; the connection between the in-vehicle system and the vehicle manufacturer’s central server has to be secure to prevent unauthorised disclosure and manipulation. [European Parliamentary Research Service – Automated Vehicles in the EU]


US – NSA Civil Liberties and Privacy Office Issues Results of Assessment of its Metadata Collection

The Civil Liberties and Privacy Office at the NSA issues a report on a privacy impact assessment examining implementation of changes effected by the USA FREEDOM Act. Collection of call record details satisfies the transparency principle through release of detailed implementation information and mandatory reporting requirements (i.e. number of targets, unique identifiers used and search terms); the principle of data minimization is satisfied because only telephone metadata can be collected, records that do contain foreign intelligence information must be promptly destroyed and data can only be retained for a maximum of 5 years. [NSA Civil Liberties and Privacy Office – Transparency Report – the USA FREEDOM Act Business Records FISA Implementation]

US – California Police Department Uses Stingrays from Planes

According to documents obtained by the ACLU, the police department in Anaheim, California, has used surveillance technology that has been referred to as “stingray on steroids.” Known as Dirtboxes, the powerful cell-site simulators are mounted on airplanes to collect data on thousands of phones at once — listening to conversations, reading emails and text messages — beginning in 2009. A California state law that came into effect on January 1, 2016 requires law enforcement agents to obtain a warrant before using a cell-site simulator. [Ars Technica] [Wired] [Document Cloud] [BuzzFeed] SEE ALSO: [Hailstorm surveillance tool in privacy advocates’ crosshairs]

US – Commonwealth Court Rules Pro-Police In Phone Rummaging Case

Massachusetts Supreme Judicial Court ruled in favor of police officers who obtained a warrant to search a suspect’s iPhone and checked both his texts and photographs. The defendant argued that police only had probable cause to inspect his texts. “Communications can come in many forms including photographic,” the majority opinion countered. “So long as such evidence may reasonably be found in the file containing the defendant’s photographs, that file may be searched.” Critics are calling for new regulations to protect mobile privacy. “We need very clear standards for police officers who are issuing warrant applications,” said the ACLU Massachusetts. [Ars Technica]

US – Report Says the Threat of “Going Dark” is Overstated

A report from Harvard’s Berkman Center for Internet & Society, titled, “Don’t Panic: Making Progress on the ‘Going Dark’ Debate,” says that US law enforcement’s concerns about encryption allowing terrorists to “go dark” overstate the problem. The report said that while encryption may hinder some surveillance activity, the increasing spread of Internet connected devices can “likely fill some of these gaps and … ensure that the government will obtain new opportunities to” conduct surveillance. [The Hill] [ComputerWorld] [ZDNet] [CNET] [New York Times] and also: [Hillary Clinton Hints At Apple, Facebook Compromise Over Encryption]

US – NYC Dept of Consumer Affairs Investigating Baby Monitor Security

The New York City Department of Consumer Affairs is investigating baby monitors that are vulnerable to attacks. The agency has sent subpoenas to four as-yet unnamed companies asking for information about the way they address the security of their products. It has also posted an alert for consumers that includes advice on how to protect their monitors. [NBC News] [Wired] [] [NYC launches investigation into hackability of baby monitors ]

Telecom / TV

CA – Cell Phone Evidence Should Not Be Excluded: Ontario Court

The Ontario Superior Court of Justice considers an application by an arrestee to exclude from evidence at trial his cell phone and cell phone number, pursuant to the Canadian Charter of Rights and Freedoms. Defendant has only a low privacy interest in the cell phone and the number (e.g. it is less personal than health records and the call log was acquired only after obtaining judicial authorization); Defendant himself made reference to his cell phone after he had been given the opportunity to consult with his counsel, and the cell phone number could have been extracted from the cell phone itself (which was already in police possession). [Her Majesty the Queen v. Andre Palmer – 2016 ONSC 153 – Ontario Superior Court of Justice]

CA – Ontario Court: Production Order for Cell Tower Information is Unreasonable Search and Seizure

The Ontario Superior Court of Justice issued a decision on the application by Rogers Communications and Telus Communications to revoke a production order pursuant to section 487.012(5) of the Criminal Code. The required disclosure of personal information was beyond what was reasonably necessary to gather evidence, such as bank and credit card information, information of any subscriber near to the scene, and the location of the other party to the call (who could be far removed from the crime scene); production orders should include an explanation of why the requested information is relevant, details to conduct a narrower search and request a report based on the data (not the data itself). [Her Majesty the Queen v Rogers Communications Partnership and Telus Communications Company – Ontario Superior Court of Justice – Court File No CRIMJ P 299-14] See also: [Dragnet No More? Recent guidance on production orders] and also: [D. Fraser: Tower dump case raises troubling questions about law enforcement and privacy] and [Canadian Judge Offers Guidelines to Make Cellphone Surveillance Less Intrusive]

US – NY Bill Requires Smartphones to be Decrypted or Unlocked by Manufacturers or System Providers

Assembly Bill A8093, relating to the Manufacturing and Sale of Smartphones That are Capable of Being Decrypted and Unlocked by the Manufacturer was introduced in the General Assembly. An Assembly Bill, if passed, would require that any smartphone that is manufactured on or after January 1st, 2016, and sold or leased in New York, be capable of being decrypted and unlocked by its manufacturer or its operating system provider; the seller or lessor of any smartphone that is not capable of being decrypted and unlocked will be subject to a civil penalty of $2500 for each smartphone sold or leased (a civil suit may be brought by the attorney general or the district attorney). [AB A8093 – An Act to Amend the General Business Law in Relation to the Manufacturing and Sale of Smartphones That are Capable of Being Decrypted and Unlocked by the Manufacturer]

US Government Programs

US – New US Government Agency Will Handle Background Checks

The White House has announced that a new agency will assume the job of conducting background checks on contractors and government employees. The Office of Personnel Management’s (OPM) Federal Investigative Services (FIS) will become part of the National Background Investigations Bureau (NBIB). “The Department of Defense will assume the responsibility for the design, development, security, and operation of the background investigations IT systems for the NBIB.” [FCW] [] [NextGov] [The Hill] []

WW – FIDO Issues Privacy White Paper

The FIDO Alliance has issued a new Privacy White Paper to mark Data Privacy Day explaining how FIDO’s protocols and specifications help to protect user privacy; as the consortium put it in a synopsis, “there is no privacy with security.” FIDO points to recent research on data breaches indicating that 95% of web app hacks rely on stealing customer credentials from mobile devices—and of course those credentials are virtually all passwords. FIDO’s goal is to replace archaic password-based security systems with more advanced frameworks incorporating measures like risk-based authentication and two-factor authentication. Security systems that adhere to FIDO protocols don’t involve third parties, keep biometric data on the user’s device, require user consent for the release of data, and incorporate many other principles designed to ensure that user data is protected behind advanced authentication apparatuses. [MobileIDWorld]

US Legislation

US – Senate Marks Data Privacy Day With Passage of Critical Bill for Safe Harbor

The US Senate celebrated Data Privacy Day by passing a critical piece of legislation that will extend US privacy rights to Europeans. The Judicial Redress Act passed the Senate’s Judiciary Committee this week, putting it in front of the full Senate and making it a virtual certainty to become law. The Act will extend the same privacy rights that US citizens enjoy to European citizens, and will provide European citizens with the right to proper judicial redress over how their data is handled by American corporations and the US government. Europeans will be able to access records about themselves collected by the US government, and amend those records. It the records are disclosed unlawfully, they will be able to sue. [Source]

US – Sweeping Vermont Privacy Bill Passes State Senate

The legislation would restrict the use of drones by state and local law enforcement, generally prohibit police from obtaining electronic data (including emails, web browsing history, call and text message content, location information and files stored on third party servers such as the “cloud.” ) from service providers without a warrant or judicially issued subpoena, and would also provide some restrictions on sharing of data gathered by automatic license plate readers in the Vermont. The bill does not place limits on the use of ALPRs for “legitimate law enforcement purposes,” but it does require data to be destroyed after 18 months unless the law enforcement agency obtains a warrant, or if the plate data is relevant to the defense of a pending or reasonably anticipated charge or complaint. Under the proposed law, state and local law enforcement could share data with other agencies for a “legitimate law enforcement purpose,” but the receiving agency must adhere to the date retention limits under the state law. [Source] The bill passed with no recorded opposition. See also: [Missouri state Rep. Ken Wilson has proposed a bill to exempt police body camera footage from Freedom of Information Act requests when there is a reasonable expectation of privacy] and [Washington, DC, Council member David Grosso has introduced a bill to protect student privacy]

Workplace Privacy

CA – Court Finds Employee Incident Did Not Meet Threshold to Warrant Drug or Alcohol Testing

The International Brotherhood of Electrical Workers on behalf of George Degg file a grievance against Jacobs Industrial for violations of the Grievor’s privacy. The privacy interest of the employee should prevail over the company’s desire to positively rule out the possibility of drugs or alcohol as a factor in a vehicle accident given that minimal damage was caused (less than $5,000 in repairs) and the link between the employee’s situation and the incident (the employee had no record of safety violations, sign of impairment, injury from the accident or evidence of a potential for greater damage). [Jacobs Industrial v International Brotherhood of Electrical Workers – 2016 CanLII 198 – ON LA]

US – Study: Employee Data Not Encrypted to Level of Customer Data

A new Sophos global study of organizational security techniques found that employee data protection falls far below the organization’s treatment of customer data in mid-sized organizations, with nearly one-third of companies not routinely encrypting employee financial information and nearly 50% not doing the same for health care records. The results aren’t necessarily all bad. “Two years ago, the number of them not encrypting was in the 75% range. The fact that we’re going toward the 50-50 range is actually an awareness on their part that they don’t want to be [the organizations] in the press.” [DarkReading]

US – Census Bureau Decides Against BYOD

The US Census Bureau has decided not to allow employees to use their own Internet-connected devices while gathering information for the 2020 census. Instead, the bureau will procure devices that will run its Compass application, which runs on multiple operating systems. [FCW]